Software > Computer viruses and spyware
Can someone look at my Hijack this log please
evilfantasy:
OK, the scan turned up something new.
A few more steps, this will not take as long.
Please download ATF Cleaner by Atribune. ATF Cleaner.exe This program does not require an installation. The executable actually runs the program.
NOTE: ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.
* Double-click ATF-Cleaner.exe to run the program.
* Under Main choose: Select All
* Click the Empty Selected button.
If you use Firefox browser
* Click Firefox at the top and choose: Select All
* Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
* Click Opera at the top and choose: Select All
* Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main ATF Cleaner menu to close the program.
=====
1. Please download Combofix by sUBs. Place it on your Desktop. combofix.exe
2. Double click combofix.exe & follow the prompts. Enter 1 and press enter at the prompt.
3. When finished, it shall produce a log for you. Attach that log in your next reply.
Combofix will create a backup to anything removed in C:\qoovox
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Nev:
ComboFix 07-11-08.3 - Owner 2007-11-11 12:53:18.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.562 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\My Documents\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\cookies.ini
.
((((((((((((((((((((((((( Files Created from 2007-10-11 to 2007-11-11 )))))))))))))))))))))))))))))))
.
2007-11-11 12:51 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-11 10:16 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2007-11-11 09:20 <DIR> d-------- C:\WINDOWS\LastGood
2007-11-11 08:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-11 08:35 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-11 08:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-11 07:25 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-05 20:35 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\MP3Rocket
2007-11-05 20:27 <DIR> d-------- C:\Program Files\MP3 Rocket
2007-10-21 09:32 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\.wyzo
2007-10-19 20:51 <DIR> d-------- C:\Program Files\iTunes
2007-10-19 20:47 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-10-19 20:47 <DIR> d-------- C:\Program Files\Apple Software Update
2007-10-19 20:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-11 13:35 --------- d-----w C:\Program Files\Lavasoft
2007-11-11 11:54 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-11-11 11:54 --------- d-----w C:\Program Files\Microsoft Home Publishing
2007-11-06 01:33 --------- d-----w C:\Program Files\Java
2007-11-06 01:29 --------- d-----w C:\Program Files\LimeWire
2007-11-01 20:13 --------- d-----w C:\Documents and Settings\Owner\Application Data\WeatherBug
2007-10-21 14:32 --------- d-----w C:\Documents and Settings\Owner\Application Data\.wyzo
2007-10-21 14:24 --------- d-----w C:\Program Files\Motive
2007-10-21 14:24 --------- d-----w C:\Program Files\IrfanView
2007-10-20 01:51 --------- d-----w C:\Program Files\iPod
2007-10-20 01:49 --------- d-----w C:\Program Files\QuickTime
2007-10-05 20:50 --------- d-----w C:\Program Files\Cucusoft
2007-09-26 00:31 --------- d-----w C:\Documents and Settings\Owner\Application Data\DMCache
2007-09-18 22:35 --------- d-----w C:\Program Files\MSN Messenger
2007-08-22 15:01 1,598,759 --sh--w C:\WINDOWS\system32\jjkmp.ini2
2007-08-22 13:05 1,589,947 --sh--w C:\WINDOWS\system32\jjkmp.bak2
2007-08-21 23:26 1,590,504 --sh--w C:\WINDOWS\system32\jjkmp.bak1
2007-08-21 06:15 683,520 ------w C:\WINDOWS\system32\inetcomm.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LightSurf.lnk]
backup=C:\WINDOWS\pss\LightSurf.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Sprint FastConnect virtual assistant.lnk]
backup=C:\WINDOWS\pss\Sprint FastConnect virtual assistant.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
C:\PROGRA~1\SPRINT~1\SMARTB~1\MotiveSB.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
R0 _wff;_wff;C:\WINDOWS\system32\drivers\_wff.sys
R3 FVNETusb;Linksys Wireless-B USB Network Adapter v2.8 Driver;C:\WINDOWS\system32\DRIVERS\vnet558x.sys
S3 GcKernel;Microsoft SideWinder Value Add - Filter Driver;C:\WINDOWS\system32\DRIVERS\GcKernel.sys
S3 HIDSwvd;Microsoft SideWinder Virtual HID Device Mini-Driver;C:\WINDOWS\system32\DRIVERS\HIDSwvd.sys
S3 ICAM3NT5;Intel USB Video Camera III;C:\WINDOWS\system32\Drivers\Icam3.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d2b75a6-cfe1-11d8-a628-806d6172696f}]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-10-20 01:47:52 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-11 12:54:48
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-11 12:55:12
.
--- E O F ---
Oh man, it worked I can go onto websites now and it doesn't go back to the original webpage after I log in!
:D thank you!
evilfantasy:
Good to hear, but there is still more to do.
Please download VundoFix.exe to your desktop.
* Double-click VundoFix.exe to run it.
* Put a check next to Run VundoFix as a task.
* You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
* When VundoFix re-opens, click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will shutdown your computer, click OK.
* Turn your computer back on.
* Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.
Please let Vundo finish, sometimes it can take multiple passes
Nev:
VundoFix V6.5.11
Checking Java version...
Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.
Scan started at 1:48:12 PM 11/11/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.5.11
Checking Java version...
Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.
Scan started at 1:50:25 PM 11/11/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:13:53 PM, on 11/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\analyze.exe\Analyze.exe.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
--
End of file - 2531 bytes
evilfantasy:
Why is your antivirus not turned on?
=====
Now download The Avenger By Swandog46, and save it to your Desktop.
* Extract avenger.exe from the Zip file and save it to your desktop
* Run avenger.exe by double-clicking on it.
* Check the 'Input script manually' box.
* Click on the magnifying glass icon.
* Copy everything in the Quote box below, and paste it in the box that opens:
--- Quote ---
Drivers to unload:
_wff
Files to delete:
C:\WINDOWS\system32\drivers\_wff.sys
C:\WINDOWS\system32\jjkmp.ini2
C:\WINDOWS\system32\jjkmp.bak2
C:\WINDOWS\system32\jjkmp.bak1
--- End quote ---
Note: the above quote was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
* Now click the 'Done' button.
* Click on the traffic light icon and OK the prompt.
* You will be prompted to restart, click OK at the prompt and your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt
The Avenger will automatically do the following:
* It will Restart your computer. (In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
* On reboot, it will briefly open a black command window on your desktop, this is normal.
* After the restart, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt
* The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Please attach the C:\avenger.txt in your reply.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version