Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

MY HIJACKTHIS LOGFILE

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

MY HIJACKTHIS LOGFILE

Unread postby lala82 » March 13th, 2009, 10:05 pm

This is my niece's computer but its very slow I don't know why.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:03:04 PM, on 3/13/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\PackethSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\System\mgnc\wsd.exe
C:\Program Files\Common Files\System\mgnc\mcdk.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\System\mgnc\angpd.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Gamevance - {0ED403E8-470A-4a8a-85A4-D7688CFE39A3} - C:\Program Files\Gamevance\gamevancelib32.dll (file missing)
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [76112549345328287] C:\Program Files\Common Files\System\mgnc\angpd.exe
O4 - HKLM\..\RunOnce: [65438761234587528] C:\Program Files\Common Files\System\mgnc\rkgnd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 3877938031
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 3877991406
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\system32\PackethSvc.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 5591 bytes
lala82
Regular Member
 
Posts: 20
Joined: December 13th, 2008, 8:40 am
Advertisement
Register to Remove

Re: MY HIJACKTHIS LOGFILE

Unread postby peku006 » March 17th, 2009, 12:45 pm

Hello and welcome to Malware Removal.

My name is peku006 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

Please observe these rules while we work:
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Please continue to respond until I give you the "All Clear"

If you follow these instructions, everything should go smoothly.

1 - Scan With ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

How to Temporarily Disable Anti-virus

Please include the C:\ComboFix.txt in your next reply for further review.

2 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

3 - Status Check
Please reply with


1. the ComboFix log(C:\ComboFix.txt)
2. a fresh HijackThis log

Thanks peku006
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: MY HIJACKTHIS LOGFILE

Unread postby lala82 » March 19th, 2009, 9:47 pm

I did everything for the combofix but it doesn't open. I get up to the point that it asks me if I want it to Run or Cancel I hit run and it doesn't even start it just goes back to my regular screen as if I didn't hit run. What can I do?
lala82
Regular Member
 
Posts: 20
Joined: December 13th, 2008, 8:40 am

Re: MY HIJACKTHIS LOGFILE

Unread postby peku006 » March 20th, 2009, 10:12 am

Hi lala82

OK don't worry about Combofix, we'll try a different tools

1 - Download and Run Malwarebytes' Anti-Malware
  1. Please download Malwarebytes' Anti-Malware and save it to a convenient location.
  2. Double click on mbam-setup.exe to install it.
  3. Before clicking the Finish button, make sure that these 2 boxes are checked (ticked):
      Update Malwarebytes' Anti-Malware
      Launch Malwarebytes' Anti-Malware
  4. Malwarebytes' Anti-Malware will now check for updates. If your firewall prompts, please allow it. If you can't update it, select the Update tab. Under Update Mirror, select one of the websites and click on Check for Updates.
  5. Select the Scanner tab. Click on Perform full scan, then click on Scan.
  6. Leave the default options as it is and click on Start Scan.
  7. When done, you will be prompted. Click OK, then click on Show Results.
  8. Checked (ticked) all items except items in the System Volume Information folder and click on Remove Selected.

    Image
  9. After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.

2 - download and run RSIT

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt<- (will be maximized) and info.txt<- (will be minimized)

3 - Status Check
Please reply with

1.the logs from RSIT (log.txt ,info.txt)
2. the Malwarebytes' Anti-Malware Log

Thanks peku006
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: MY HIJACKTHIS LOGFILE

Unread postby lala82 » March 20th, 2009, 11:30 pm

The same thing happens with the malware program i download it and i have an icon on the desktop and i double click on it to open and it does nothing. Is that bad?
lala82
Regular Member
 
Posts: 20
Joined: December 13th, 2008, 8:40 am

Re: MY HIJACKTHIS LOGFILE

Unread postby peku006 » March 21st, 2009, 4:19 am

Hi lala82
Is that bad?

I can not say at this stage, what is the problem
If you have a previous version of Combofix.exe, delete it and download a fresh copy

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Image

Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

Thanks peku006
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: MY HIJACKTHIS LOGFILE

Unread postby lala82 » March 23rd, 2009, 2:23 pm

OK I FINALLY GOT IT!!! HERE IT IS THE COMBO FIX AND THE HIJACKTHIS TEXT LOG

Another question theres other users on this computer when I do all these scans does it come up from their user too?


ComboFix 09-03-22.01 - Daymila 2009-03-23 13:12:01.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.315 [GMT -5:00]
Running from: c:\documents and settings\Daymila\Desktop\Combo-Fix.exe
AV: Norton AntiVirus 2006 *On-access scanning enabled* (Updated)
FW: Norton Internet Worm Protection *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\CrucialSoft Ltd
c:\windows\system32\drivers\UACfulnqwhp.sys
c:\windows\system32\drivers\Winmf53.sys
c:\windows\system32\UACbqubftiq.dll
c:\windows\system32\UACerrpdwyi.dat
c:\windows\system32\uacinit.dll
c:\windows\system32\UACipjyurqt.log
c:\windows\system32\UACnsjywbwv.dll
c:\windows\system32\UACsjwmqyfp.log
c:\windows\system32\UACxbqeexev.dll
c:\windows\system32\UACxmtaowbn.log
c:\windows\system32\UACxnmfvpgw.dll
c:\windows\system32\UACyrqpmfhf.dll
c:\windows\system32\WinCtrl32.dl_
c:\windows\system32\WinCtrl32.dll
c:\windows\system32\winscenter.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_WINMF53
-------\Service_Winmf53


((((((((((((((((((((((((( Files Created from 2009-02-23 to 2009-03-23 )))))))))))))))))))))))))))))))
.

2009-03-20 21:07 . 2009-03-20 21:07 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-20 21:07 . 2009-03-20 21:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-20 21:07 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-20 21:07 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-14 16:15 . 2009-03-14 16:18 <DIR> d-------- c:\documents and settings\Daymila\Application Data\ArcSoft
2009-03-14 14:12 . 2009-03-14 14:12 <DIR> d-------- c:\windows\Sun
2009-03-14 14:10 . 2009-03-14 14:10 <DIR> d-------- c:\program files\Java
2009-03-14 14:10 . 2009-03-14 14:10 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-14 14:05 . 2009-03-14 14:10 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-13 21:02 . 2009-03-13 21:02 <DIR> d-------- c:\program files\Trend Micro
2009-03-13 20:53 . 2009-03-13 20:53 <DIR> d-------- c:\program files\Panda Security
2009-03-11 18:47 . 2009-03-11 18:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\E379
2009-03-11 18:47 . 2009-03-11 18:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\4115
2009-03-11 18:47 . 2009-03-11 18:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\2CD0
2009-03-11 18:47 . 2009-03-11 18:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\13F
2009-03-11 18:45 . 2009-03-11 18:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\159C
2009-03-08 19:37 . 2009-03-08 19:37 <DIR> d-------- C:\My Downloads
2009-03-08 19:37 . 2009-03-08 19:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\34290
2009-03-08 18:53 . 2006-07-17 20:02 <DIR> d-------- c:\documents and settings\amy\WINDOWS
2009-03-08 18:53 . 2006-07-25 20:38 <DIR> d---s---- c:\documents and settings\amy\UserData
2009-03-08 18:53 . 2006-07-17 20:02 <DIR> d-------- c:\documents and settings\amy\Application Data\Symantec
2009-03-08 18:53 . 2006-07-17 20:02 <DIR> d-------- c:\documents and settings\amy\Application Data\SampleView
2009-03-08 18:53 . 2006-07-17 20:02 <DIR> d-------- c:\documents and settings\amy\Application Data\CyberLink
2009-03-08 18:53 . 2006-07-17 20:02 <DIR> d-------- c:\documents and settings\amy\Application Data\Ahead
2009-03-08 18:53 . 2009-03-20 23:19 <DIR> d-------- c:\documents and settings\amy
2009-03-08 17:11 . 2009-03-08 17:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\3B24B
2009-03-08 16:55 . 2009-03-13 20:26 <DIR> d-------- c:\program files\BearShare Applications
2009-03-08 16:55 . 2009-03-08 16:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\34393
2009-03-08 16:55 . 2008-09-25 08:20 483,328 --a------ c:\windows\system32\actskn45.ocx
2009-03-05 20:55 . 2009-03-05 20:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\AV2010
2009-03-05 20:55 . 2009-03-05 20:55 3 --a------ c:\documents and settings\All Users\Application Data\SysLoader.exe
2009-03-02 18:50 . 2009-03-02 18:50 23,040 --a------ c:\documents and settings\Daymila\S87ekhV.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-23 17:41 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-06 01:29 --------- d-----w c:\program files\ArcSoft
2009-02-21 21:14 --------- d-----w c:\program files\DivX
2009-02-21 21:01 --------- d-----w c:\program files\GameHouse
2009-02-21 21:00 --------- d-----w c:\program files\QuickTime
2009-02-21 21:00 --------- d-----w c:\program files\iWin.com
2009-02-21 21:00 --------- d-----w c:\program files\Common Files\Real
2009-02-21 20:56 --------- d-----w c:\program files\Disney Interactive
2009-02-21 01:48 --------- d-----w c:\documents and settings\Daymila\Application Data\Talkback
2009-02-19 02:39 --------- d-----w c:\program files\Pure Networks
2009-02-19 02:39 --------- d-----w c:\program files\Google
2009-02-19 02:39 --------- d-----w c:\program files\Common Files\AOL
2009-02-15 23:05 --------- d-----w c:\program files\Core Design
2009-02-15 23:01 --------- d-----w c:\documents and settings\Daymila\Application Data\AOL
2009-02-15 23:01 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2009-02-04 19:41 --------- d-----w c:\program files\ReflexiveArcade
2009-02-04 19:40 --------- d-----w c:\documents and settings\All Users\Application Data\n7-89-o9-3r-4t-r9
2009-02-02 23:04 --------- d-----w c:\program files\AskSearch
.

------- Sigcheck -------

2005-03-01 19:36 2056832 d8aba3eab509627e707a3b14f00fbb6b c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2004-08-10 17:00 2015232 fb142b7007ca2eea76966c6c5cc12150 c:\windows\$NtUninstallKB890859$\ntkrnlpa.exe
2005-03-01 19:34 2056832 81013f36b21c7f72cf784cc6731e0002 c:\windows\Driver Cache\i386\ntkrnlpa.exe
2005-03-01 19:34 2015232 3cd941e472ddf3534e53038535719771 c:\windows\system32\ntkrnlpa.exe

2005-03-01 20:04 2179456 28187802b7c368c0d3aef7d4c382aabb c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2004-08-10 17:00 2148352 626309040459c3915997ef98ec1c8d40 c:\windows\$NtUninstallKB890859$\ntoskrnl.exe
2005-03-01 19:59 2179328 4d4cf2c14550a4b7718e94a6e581856e c:\windows\Driver Cache\i386\ntoskrnl.exe
2005-03-01 19:57 2135552 48b3e89af7074cee0314a3e0c7faffdb c:\windows\system32\ntoskrnl.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-11-02 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-07-15 32768]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-09-17 52848]
"76112549345328287"="c:\program files\Common Files\System\mgnc\angpd.exe" [2009-02-25 1195520]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-14 148888]
"SoundMan"="SOUNDMAN.EXE" [2005-07-22 c:\windows\SOUNDMAN.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"65438761234587528"="c:\program files\Common Files\System\mgnc\rkgnd.exe" [2009-02-27 318934]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 PackethSvc;Virtual NIC Service;c:\windows\system32\PackethSvc.exe [2008-10-11 51200]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-03-14 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Dayme.job
- c:\progra~1\NORTON~1\Navw32.exe [2005-10-21 19:34]

2009-03-14 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Wilber.job
- c:\progra~1\NORTON~1\Navw32.exe [2005-10-21 19:34]

2006-07-18 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2005-09-09 20:21]
.
- - - - ORPHANS REMOVED - - - -

BHO-{0ED403E8-470A-4a8a-85A4-D7688CFE39A3} - c:\program files\Gamevance\gamevancelib32.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\Daymila\Application Data\Mozilla\Firefox\Profiles\m275cw51.default\
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-23 13:16:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Common Files\System\mgnc\wsd.exe
c:\program files\Common Files\System\mgnc\mcdk.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Norton AntiVirus\navapsvc.exe
c:\program files\Norton AntiVirus\IWP\NPFMntor.exe
c:\windows\system32\wdfmgr.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
.
**************************************************************************
.
Completion time: 2009-03-23 13:18:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-23 18:18:35

Pre-Run: 189,566,377,984 bytes free
Post-Run: 189,831,667,712 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

192















Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:19:24 PM, on 3/23/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\System\mgnc\wsd.exe
C:\Program Files\Common Files\System\mgnc\mcdk.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\PackethSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [76112549345328287] C:\Program Files\Common Files\System\mgnc\angpd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [65438761234587528] C:\Program Files\Common Files\System\mgnc\rkgnd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 3877938031
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 3877991406
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\system32\PackethSvc.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 5906 bytes
lala82
Regular Member
 
Posts: 20
Joined: December 13th, 2008, 8:40 am

Re: MY HIJACKTHIS LOGFILE

Unread postby peku006 » March 23rd, 2009, 3:58 pm

Hi lala82
theres other users on this computer when I do all these scans does it come up from their user too?

Yes

1 - Run CFScript

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\documents and settings\All Users\Application Data\SysLoader.exe
c:\documents and settings\Daymila\S87ekhV.exe
c:\documents and settings\All Users\Application Data\n7-89-o9-3r-4t-r9

Folder::
c:\documents and settings\All Users\Application Data\AV2010



Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

2 - Run Malwarebytes' Anti-Malware

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.Click on
    Perform full scan, then click on Scan.
  • Leave the default options as it is and click on Start Scan.
  • When done, you will be prompted. Click OK, then click on Show Results.
  • Checked (ticked) all items except items in the System Volume Information folder and click on Remove Selected.

    Image
  • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.

3 - Status Check
Please reply with


1. the ComboFix log(C:\ComboFix.txt)
2. the Malwarebytes' Anti-Malware Log

Thanks peku006
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: MY HIJACKTHIS LOGFILE

Unread postby lala82 » March 23rd, 2009, 10:29 pm

Here you go!! ;)


ComboFix 09-03-22.01 - Daymila 2009-03-23 20:33:34.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.314 [GMT -4:00]
Running from: c:\documents and settings\Daymila\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Daymila\Desktop\CFScript.txt
AV: Norton AntiVirus 2006 *On-access scanning enabled* (Updated)
FW: Norton Internet Worm Protection *enabled*
* Created a new restore point

FILE ::
c:\documents and settings\All Users\Application Data\n7-89-o9-3r-4t-r9
c:\documents and settings\All Users\Application Data\SysLoader.exe
c:\documents and settings\Daymila\S87ekhV.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\AV2010
c:\documents and settings\All Users\Application Data\AV2010\AV2010.exe
c:\documents and settings\All Users\Application Data\AV2010\IEDefender.dll
c:\documents and settings\All Users\Application Data\AV2010\svchost.exe
c:\documents and settings\All Users\Application Data\SysLoader.exe
c:\documents and settings\Daymila\S87ekhV.exe

.
((((((((((((((((((((((((( Files Created from 2009-02-24 to 2009-03-24 )))))))))))))))))))))))))))))))
.

2009-03-20 22:07 . 2009-03-20 22:07 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-20 22:07 . 2009-03-20 22:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-20 22:07 . 2009-02-11 11:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-20 22:07 . 2009-02-11 11:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-14 17:15 . 2009-03-14 17:18 <DIR> d-------- c:\documents and settings\Daymila\Application Data\ArcSoft
2009-03-14 15:12 . 2009-03-14 15:12 <DIR> d-------- c:\windows\Sun
2009-03-14 15:10 . 2009-03-14 15:10 <DIR> d-------- c:\program files\Java
2009-03-14 15:10 . 2009-03-14 15:10 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-14 15:05 . 2009-03-14 15:10 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-13 22:02 . 2009-03-13 22:02 <DIR> d-------- c:\program files\Trend Micro
2009-03-13 21:53 . 2009-03-13 21:53 <DIR> d-------- c:\program files\Panda Security
2009-03-11 19:47 . 2009-03-11 19:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\E379
2009-03-11 19:47 . 2009-03-11 19:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\4115
2009-03-11 19:47 . 2009-03-11 19:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\2CD0
2009-03-11 19:47 . 2009-03-11 19:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\13F
2009-03-11 19:45 . 2009-03-11 19:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\159C
2009-03-08 20:37 . 2009-03-08 20:37 <DIR> d-------- C:\My Downloads
2009-03-08 20:37 . 2009-03-08 20:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\34290
2009-03-08 19:53 . 2006-07-17 21:02 <DIR> d-------- c:\documents and settings\amy\WINDOWS
2009-03-08 19:53 . 2006-07-25 21:38 <DIR> d---s---- c:\documents and settings\amy\UserData
2009-03-08 19:53 . 2006-07-17 21:02 <DIR> d-------- c:\documents and settings\amy\Application Data\Symantec
2009-03-08 19:53 . 2006-07-17 21:02 <DIR> d-------- c:\documents and settings\amy\Application Data\SampleView
2009-03-08 19:53 . 2006-07-17 21:02 <DIR> d-------- c:\documents and settings\amy\Application Data\CyberLink
2009-03-08 19:53 . 2006-07-17 21:02 <DIR> d-------- c:\documents and settings\amy\Application Data\Ahead
2009-03-08 19:53 . 2009-03-21 00:19 <DIR> d-------- c:\documents and settings\amy
2009-03-08 18:11 . 2009-03-08 18:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\3B24B
2009-03-08 17:55 . 2009-03-13 21:26 <DIR> d-------- c:\program files\BearShare Applications
2009-03-08 17:55 . 2009-03-08 17:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\34393
2009-03-08 17:55 . 2008-09-25 09:20 483,328 --a------ c:\windows\system32\actskn45.ocx

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-24 00:25 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-06 01:29 --------- d-----w c:\program files\ArcSoft
2009-02-21 21:14 --------- d-----w c:\program files\DivX
2009-02-21 21:01 --------- d-----w c:\program files\GameHouse
2009-02-21 21:00 --------- d-----w c:\program files\QuickTime
2009-02-21 21:00 --------- d-----w c:\program files\iWin.com
2009-02-21 21:00 --------- d-----w c:\program files\Common Files\Real
2009-02-21 20:56 --------- d-----w c:\program files\Disney Interactive
2009-02-21 01:48 --------- d-----w c:\documents and settings\Daymila\Application Data\Talkback
2009-02-19 02:39 --------- d-----w c:\program files\Pure Networks
2009-02-19 02:39 --------- d-----w c:\program files\Google
2009-02-19 02:39 --------- d-----w c:\program files\Common Files\AOL
2009-02-15 23:05 --------- d-----w c:\program files\Core Design
2009-02-15 23:01 --------- d-----w c:\documents and settings\Daymila\Application Data\AOL
2009-02-15 23:01 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2009-02-04 19:41 --------- d-----w c:\program files\ReflexiveArcade
2009-02-04 19:40 --------- d-----w c:\documents and settings\All Users\Application Data\n7-89-o9-3r-4t-r9
2009-02-02 23:04 --------- d-----w c:\program files\AskSearch
.

------- Sigcheck -------

2005-03-01 20:36 2056832 d8aba3eab509627e707a3b14f00fbb6b c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2004-08-10 18:00 2015232 fb142b7007ca2eea76966c6c5cc12150 c:\windows\$NtUninstallKB890859$\ntkrnlpa.exe
2005-03-01 20:34 2056832 81013f36b21c7f72cf784cc6731e0002 c:\windows\Driver Cache\i386\ntkrnlpa.exe
2005-03-01 20:34 2015232 3cd941e472ddf3534e53038535719771 c:\windows\system32\ntkrnlpa.exe

2005-03-01 21:04 2179456 28187802b7c368c0d3aef7d4c382aabb c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2004-08-10 18:00 2148352 626309040459c3915997ef98ec1c8d40 c:\windows\$NtUninstallKB890859$\ntoskrnl.exe
2005-03-01 20:59 2179328 4d4cf2c14550a4b7718e94a6e581856e c:\windows\Driver Cache\i386\ntoskrnl.exe
2005-03-01 20:57 2135552 48b3e89af7074cee0314a3e0c7faffdb c:\windows\system32\ntoskrnl.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-03-23_13.18.00.57 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-21 00:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
- 2000-08-31 13:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 12:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
- 2000-08-31 13:00:00 161,792 ----a-w c:\windows\SWREG.exe
+ 2000-08-31 12:00:00 161,792 ----a-w c:\windows\SWREG.exe
- 2006-07-18 10:29:13 45,408 ----a-w c:\windows\system32\perfc009.dat
+ 2009-03-24 00:24:02 45,408 ----a-w c:\windows\system32\perfc009.dat
- 2006-07-18 10:29:13 363,734 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-24 00:24:02 363,734 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-24 00:22:44 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_5ac.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-11-02 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-07-15 32768]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-09-17 52848]
"76112549345328287"="c:\program files\Common Files\System\mgnc\angpd.exe" [2009-02-25 1195520]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-14 148888]
"SoundMan"="SOUNDMAN.EXE" [2005-07-22 c:\windows\SOUNDMAN.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"65438761234587528"="c:\program files\Common Files\System\mgnc\rkgnd.exe" [2009-02-27 318934]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 PackethSvc;Virtual NIC Service;c:\windows\system32\PackethSvc.exe [2008-10-11 51200]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-03-14 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Dayme.job
- c:\progra~1\NORTON~1\Navw32.exe [2005-10-21 20:34]

2009-03-14 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Wilber.job
- c:\progra~1\NORTON~1\Navw32.exe [2005-10-21 20:34]

2006-07-18 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2005-09-09 21:21]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\Daymila\Application Data\Mozilla\Firefox\Profiles\m275cw51.default\
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-23 20:34:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-03-23 20:35:31
ComboFix-quarantined-files.txt 2009-03-24 00:35:29
ComboFix2.txt 2009-03-23 18:18:40

Pre-Run: 189,802,053,632 bytes free
Post-Run: 189,791,993,856 bytes free

169





Malwarebytes' Anti-Malware 1.34
Database version: 1890
Windows 5.1.2600 Service Pack 2

3/23/2009 10:24:56 PM
mbam-log-2009-03-23 (22-24-56).txt

Scan type: Full Scan (C:\|)
Objects scanned: 105516
Time elapsed: 17 minute(s), 40 second(s)

Memory Processes Infected: 3
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 2
Files Infected: 23

Memory Processes Infected:
C:\Program Files\Common Files\System\mgnc\wsd.exe (Rogue.ANGav2009) -> Unloaded process successfully.
C:\Program Files\Common Files\System\mgnc\mcdk.exe (Rogue.ANGav2009) -> Unloaded process successfully.
C:\Program Files\Common Files\System\mgnc\mcdk.exe (Rogue.ANGav2009) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Total Virus Protection (Rogue.TotalVirusProtection) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ANG AntiVirus 09 (Rogue.ANGav2009) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\76112549345328287 (Rogue.ANGav2009) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\65438761234587528 (Rogue.ANGav2009) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Common Files\System\mgnc (Rogue.ANGav2009) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daymila\Start Menu\Programs\ANG AntiVirus 09 (Rogue.ANGav2009) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Common Files\System\mgnc\wsd.exe (Rogue.ANGav2009) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\System\mgnc\mcdk.exe (Rogue.ANGav2009) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\System\mgnc\angpd.exe (Rogue.ANGav2009) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\System\mgnc\rkgnd.exe (Rogue.ANGav2009) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\System\mgnc\angpid.exe (Rogue.ANGav2009) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\Daymila\S87ekhV.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACbqubftiq.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACnsjywbwv.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACxbqeexev.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACxnmfvpgw.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACyrqpmfhf.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\WinCtrl32.dll.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\WinCtrl32.dl_.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{872B6E03-76F9-46CE-AD08-E698BECE8874}\RP165\A0082311.dll (Trojan.TDSS) -> Not selected for removal.
C:\System Volume Information\_restore{872B6E03-76F9-46CE-AD08-E698BECE8874}\RP165\A0082312.dll (Rootkit.TDSS) -> Not selected for removal.
C:\System Volume Information\_restore{872B6E03-76F9-46CE-AD08-E698BECE8874}\RP165\A0082313.dll (Rootkit.TDSS) -> Not selected for removal.
C:\System Volume Information\_restore{872B6E03-76F9-46CE-AD08-E698BECE8874}\RP165\A0082314.dll (Trojan.TDSS) -> Not selected for removal.
C:\System Volume Information\_restore{872B6E03-76F9-46CE-AD08-E698BECE8874}\RP165\A0082315.dll (Trojan.TDSS) -> Not selected for removal.
C:\System Volume Information\_restore{872B6E03-76F9-46CE-AD08-E698BECE8874}\RP165\A0082316.dll (Trojan.Downloader) -> Not selected for removal.
C:\System Volume Information\_restore{872B6E03-76F9-46CE-AD08-E698BECE8874}\RP165\A0082322.sys (Rootkit.Agent) -> Not selected for removal.
C:\System Volume Information\_restore{872B6E03-76F9-46CE-AD08-E698BECE8874}\RP167\A0083367.exe (Trojan.Downloader) -> Not selected for removal.
C:\Program Files\Common Files\System\mgnc\angpd.xml (Rogue.ANGav2009) -> Quarantined and deleted successfully.
C:\Documents and Settings\Daymila\Start Menu\Programs\ANG AntiVirus 09\ANG AntiVirus 09.lnk (Rogue.ANGav2009) -> Quarantined and deleted successfully.
lala82
Regular Member
 
Posts: 20
Joined: December 13th, 2008, 8:40 am

Re: MY HIJACKTHIS LOGFILE

Unread postby peku006 » March 24th, 2009, 5:54 am

Hi lala82

looks better :)

1 - Clean temp files

    Download and Run ATF Cleaner
    Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.Double-click ATF Cleaner.exe to open it.

    Under Main choose:
      Windows Temp
      Current User Temp
      All Users Temp
      Temporary Internet Files
      Prefetch
      Java Cache

      *The other boxes are optional*
      Then click the Empty Selected button.
    if you use Firefox:
      Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
    if you use Opera:
      Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program

2 - Kaspersky Online Scan

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.

3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

4 - Status Check
Please reply with

1. the Kaspersky online scanner report
2. a fresh HijackThis log
How's the computer running now? Any problems?

Thanks peku006
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: MY HIJACKTHIS LOGFILE

Unread postby NonSuch » March 29th, 2009, 3:40 am

Due to a lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27302
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: random/random and 21 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware