BleepingComputer.com: Hijackthis Log: Please Help Diagnose

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Hijackthis Log: Please Help Diagnose Runscanner Log: Please Help Diagnose

#1 User is offline   Cabiles2 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 3
  • Joined: 11-September 08

  Posted 11 September 2008 - 08:06 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:50:56 PM, on 9/11/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16711)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\TP-LINK\TWCU\TWCU.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\AntiLogger\AntiLogger.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Minimem\minimem1.1.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\ThreatFire\TFService.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\taskeng.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\NotePad.exe
C:\Windows\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.speedbit.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60076

#2 User is offline   Cabiles2 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 3
  • Joined: 11-September 08

  Posted 19 September 2008 - 09:56 AM

Runscanner logfile http://www.runscanner.net

* = signed file
- = file not found

General info
------------
Computer name : RONNIE-PC
Creation time : 9/19/2008 10:39:09 PM
Hosts <> 127.0.0.1 : 0
Hosts file location : %SystemRoot%\System32\drivers\etc
IE version : 7.0.6000.16711
OS : Windows Vista ™ Home Premium
OS Build : 6000
OS SP :
RunScanner Version : 1.7.0.0
User Language : English (United States)
User rights : Administrator
Windows folder : C:\Windows

Running processes
-----------------
* C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
* C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
* C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
* C:\Windows\system32\csrss.exe (Microsoft Corporation)
* C:\Windows\system32\csrss.exe (Microsoft Corporation)
* C:\Windows\system32\conime.exe (Microsoft Corporation)
* C:\Windows\system32\Dwm.exe (Microsoft Corporation)
* C:\Windows\system32\svchost.exe (Microsoft Corporation)
* C:\Windows\system32\svchost.exe (Microsoft Corporation)
* C:\Windows\system32\svchost.exe (Microsoft Corporation)
* C:\Windows\system32\svchost.exe (Microsoft Corporation)
* C:\Windows\System32\svchost.exe (Microsoft Corporation)
* C:\Windows\system32\svchost.exe (Microsoft Corporation)
* C:\Windows\system32\svchost.exe (Microsoft Corporation)
* C:\Windows\system32\svchost.exe (Microsoft Corporation)
* C:\Windows\System32\svchost.exe (Microsoft Corporation)
* C:\Windows\System32\svchost.exe (Microsoft Corporation)
* C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe (IObit)
* C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe (Kaspersky Lab)
* C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe (Kaspersky Lab)
* C:\Windows\system32\lsass.exe (Microsoft Corporation)
* C:\Windows\system32\lsm.exe (Microsoft Corporation)
* C:\Windows\system32\SLsvc.exe (Microsoft Corporation)
* C:\Windows\system32\SearchIndexer.exe (Microsoft Corporation)
* C:\Windows\system32\SearchProtocolHost.exe (Microsoft Corporation)
C:\Program Files\Minimem\minimem1.1.exe (Kerkia)
* C:\Program Files\ThreatFire\TFService.exe (PC Tools)
* C:\Program Files\ThreatFire\TFTray.exe (PC Tools)
* C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe (Microsoft Corporation)
* C:\Users\Ronnie\AppData\Local\Temp\Rar$EX00.375\RunScanner.exe (Runscanner.net)
* C:\Program Files\Safari\Safari.exe (Apple Inc.)
* C:\Windows\system32\services.exe (Microsoft Corporation)
* C:\Windows\system32\wbem\unsecapp.exe (Microsoft Corporation)
* C:\Windows\System32\spoolsv.exe (Microsoft Corporation)
* C:\Windows\system32\taskeng.exe (Microsoft Corporation)
* C:\Windows\system32\taskeng.exe (Microsoft Corporation)
C:\Program Files\TP-LINK\TWCU\TWCU.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
* C:\Windows\system32\audiodg.exe (Microsoft Corporation)
* C:\Windows\Explorer.EXE (Microsoft Corporation)
* C:\Windows\system32\winlogon.exe (Microsoft Corporation)
* c:\windows\System32\smss.exe (Microsoft Corporation)
* C:\Windows\system32\wininit.exe (Microsoft Corporation)
* C:\Windows\system32\wuauclt.exe (Microsoft Corporation)
* C:\Windows\system32\wbem\wmiprvse.exe (Microsoft Corporation)

Unrated items
-------------
002 * C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe (Kaspersky Lab)
002 C:\Program Files\TP-LINK\TWCU\TWCU.exe
002 C:\Program Files\Unlocker\UnlockerAssistant.exe
003 C:\Program Files\Minimem\minimem1.1.exe (Kerkia)
003 * c:\program files\uniblue\registrybooster\StartRegistryBooster.exe (Uniblue Software)
003 C:\Program Files\Veoh Networks\Veoh\VeohClient.exe (Veoh Networks)
010 C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (InstallDriver Table Manager)
010 * C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe (Kaspersky Internet Security)
010 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe (Machine Debug Manager)
010 C:\Windows\system32\acs.exe (TP-LINK Configuration Service)
011 C:\Windows\system32\16197.sys (16197)
011 * C:\Windows\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver)
011 C:\Windows\system32\drivers\elrawdsk.sys (ElRawDisk)
011 * C:\Windows\system32\DRIVERS\GEARAspiWDM.sys (GEAR ASPI Filter Driver)
011 C:\Windows\System32\DRIVERS\gmer.sys (gmer)
011 * C:\Windows\system32\DRIVERS\klim6.sys (Kaspersky Anti-Virus NDIS 6 Filter)
011 * C:\Windows\system32\drivers\klbg.sys (Kaspersky Lab Boot Guard Driver)
011 * C:\Windows\system32\DRIVERS\klif.sys (Kaspersky Lab Driver)
011 * C:\Windows\system32\DRIVERS\klfltdev.sys (Kaspersky Lab KLFltDev)
011 * C:\Windows\system32\DRIVERS\kl1.sys (kl1)
011 C:\Windows\System32\Drivers\PxHelp20.sys (PxHelp20)
011 C:\Windows\System32\Drivers\sptd.sys (sptd)
011 C:\Program Files\Unlocker\UnlockerDriver5.sys (UnlockerDriver5)
011 C:\Windows\system32\DRIVERS\snp2sxp.sys (USB2.0 PC Camera (SNP2STD))
041 C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll (Veoh Networks Inc) {D0943516-5076-4020-A3B5-AEFAF26AB263}
042 GUID / CLSID not found {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
042 C:\Program Files\HiDownload\hidownload.exe (StreamingStar Technology Inc.) {F4FBA929-A891-492C-A0F6-5C79CC4F1742}
042 GUID / CLSID not found {92780B25-18CC-41C8-B9BE-3C9C571A8263}
042 GUID / CLSID not found {2670000A-7350-4f3c-8081-5663EE0C6C49}
042 GUID / CLSID not found {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}
042 GUID / CLSID not found {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
052 * C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll (Google Inc.) {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}
052 * C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll (Kaspersky Lab) {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C}
061 C:\Program Files\Unlocker\UnlockerCOM.dll {DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}
061 * C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll (Kaspersky Lab) {85E0B171-04FA-11D1-B7DA-00A0C90348D6}
061 C:\Program Files\WinRAR\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
067 * C:\Windows\system32\klogon.dll (Kaspersky Lab)
073 AutoSmartDefrag.job : C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe (IObit)
073 SmartDefrag.job : C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe (IObit)
100 CustomizeSearch HKLM : http://dnl.crawler.com/support/sa_customize.aspx?TbId=60076
100 Default_Page_URL HKLM : http://www.yahoo.com
100 Default_Search_URL HKLM : http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
100 Search Page HKCU : http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
100 Search Page HKLM : http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
100 SearchUrl HKCU : http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
100 Start Page HKLM : http://www.yahoo.com
104 GUID / CLSID not found {77E32299-629F-43C6-AB77-6A1E6D7663F6}
104 GUID / CLSID not found {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
105 &Yahoo! Search : file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
105 Add to AMV Convert Tool... : C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html
105 Add to Banner Ad Blocker : C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
105 Add to Media Manager... : C:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html
105 Download All Files by HiDownload : C:\Program Files\HiDownload\HDGetAll.htm
105 Download by HiDownload : C:\Program Files\HiDownload\HDGet.htm
105 E&xport to Microsoft Excel : res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
105 Yahoo! &Dictionary : file:///C:\Program Files\Yahoo!\Common/ycdict.htm
105 Yahoo! &Maps : file:///C:\Program Files\Yahoo!\Common/ycmap.htm
105 Yahoo! &SMS : file:///C:\Program Files\Yahoo!\Common/ycsms.htm
107 C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
121 * C:\PROGRA~1\Kaspersky Lab\Kaspersky Internet Security 2009\kloehk.dll (Kaspersky Lab)
121 * C:\PROGRA~1\Kaspersky Lab\Kaspersky Internet Security 2009\adialhk.dll (Kaspersky Lab)
121 * C:\PROGRA~1\Kaspersky Lab\Kaspersky Internet Security 2009\mzvkbd.dll (Kaspersky Lab)
121 * C:\PROGRA~1\Kaspersky Lab\Kaspersky Internet Security 2009\mzvkbd3.dll (Kaspersky Lab)
170 {1c2172a1-d259-11db-9578-00016c3d7d5d} : C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL G:\Cn911.exe
170 {34af6e86-d1fc-11db-acc9-00016c3d7d5d} : C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe
170 {4507a364-ef06-11db-bce1-806e6f6e6963} : C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL F:\copy.exe
170 {4f5936aa-cda7-11dc-9860-00016c3d7d5d} : C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe
170 {634ac65b-1430-11dd-8e9e-00016c3d7d5d} : C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL F:\copy.exe
170 {ba0477cc-4b3a-11dc-89b8-00016c3d7d5d} : C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL F:\copy.exe
170 {c04bdcfc-c943-11db-888a-00016c3d7d5d} : C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL F:\copy.exe
170 {c49c21bf-ca16-11db-9b61-00016c3d7d5d} : C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL F:\copy.exe
170 {c49c21e7-ca16-11db-9b61-00016c3d7d5d} : C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL F:\copy.exe
170 {d993fcc1-2be3-11dd-ad53-00016c3d7d5d} : C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL G:\autorun.bat
173 * C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ShellEx.dll (Kaspersky Lab) {dd230880-495a-11d1-b064-008048ec2fc5}
173 C:\Program Files\Privacy Guardian\Shredder\ShredderShellExtension.dll (PC Tools Research Pty Ltd) {AE733F78-D42C-428B-B6BD-28B41EE97925}
173 C:\Program Files\WinRAR\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
180 HKEY_CLASSES_ROOT htafile : NOTEPAD.EXE %1
221 * C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ShellEx.dll (Kaspersky Lab) {dd230880-495a-11d1-b064-008048ec2fc5}
221 C:\Program Files\Privacy Guardian\Shredder\ShredderShellExtension.dll (PC Tools Research Pty Ltd) {AE733F78-D42C-428B-B6BD-28B41EE97925}
221 C:\Program Files\WinRAR\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
223 C:\Program Files\Unlocker\UnlockerCOM.dll {DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}
225 * C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ShellEx.dll (Kaspersky Lab) {dd230880-495a-11d1-b064-008048ec2fc5}
225 * C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ShellEx.dll (Kaspersky Lab) {dd230880-495a-11d1-b064-008048ec2fc5}
225 C:\Program Files\Unlocker\UnlockerCOM.dll {DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}
225 C:\Program Files\Unlocker\UnlockerCOM.dll {DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}
225 C:\Program Files\WinRAR\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
225 C:\Program Files\WinRAR\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
227 C:\Program Files\Privacy Guardian\Shredder\ShredderShellExtension.dll (PC Tools Research Pty Ltd) {AE733F78-D42C-428B-B6BD-28B41EE97925}
227 C:\Program Files\WinRAR\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
229 GUID / CLSID not found {5E2121EE-0300-11D4-8D3B-444553540000}

Missing files
-------------
011 System32\Drivers\usbaapl.sys
011 C:\Windows\system32\drivers\aucm917o.sys
011 c:\windows\system32\drivers\blbdrive.sys
011 C:\Windows\system32\drivers\Inspect.sys
011 E:\Fxdrv.sys
011 c:\windows\system32\DRIVERS\ipinip.sys
011 c:\windows\system32\DRIVERS\nwlnkflt.sys
011 c:\windows\system32\DRIVERS\nwlnkfwd.sys
011 C:\Windows\system32\drivers\SymIMMP.sys
011 C:\Windows\system32\drivers\TMPassthruMP.sys
011 c:\windows\system32\DRIVERS\vmnetadapter.sys
032 rdpclip
063 autocheck
063 autocheck
063 autocheck
067 SSMWinlogonEx.dll
104 C:\Windows\Downloaded Program Files\PCPitstop.dll

This post has been edited by Orange Blossom: 20 September 2008 - 01:11 AM
Reason for edit: Merged topics. ~ OB

#3 User is offline   Carolyn 

  • Bleepin' kitten
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 2,131
  • Joined: 12-July 07

Posted 25 September 2008 - 02:46 PM

Hello and Welcome to the forums!

My name is Carolyn and I'll be glad to help you with your computer problems. HijackThis logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that it happens.

Please do not run any other tool untill instructed to do so!
Please reply to this thread, do not start another!
Please tell me about any problems that have occurred during the fix.
Please tell me of any other symptoms you may be having as these can help also.
Please try as much as possible not to run anything while executing a fix.


If you follow these instructions, everything should go smoothly.

I am sorry that we were unable to reply to your post sooner. The forums have been very busy.

I am currently looking at your log now and will be back as soon as possible with your instructions.
while you are waiting one other thing that can be of good use is an uninstall list so please do the following

Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Right click on HijackThis and click Run as administrator
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in your next reply.
Member of ASAP (Alliance of Security Analysis Professionals)
Posted Image

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users