Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log


  • This topic is locked This topic is locked
4 replies to this topic

#1 MercyLam

MercyLam

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 29 February 2008 - 12:40 PM

Hi i am new here and i have encounter some problem.

My computer are infected by the virus win 32/NSAnti.
It keeps coming out even i quarantine and delete it with my AAVG antivirus.
Can someone please analyze my log.

Thank you.

BC AdBot (Login to Remove)

 


#2 MercyLam

MercyLam
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 29 February 2008 - 12:42 PM

ComboFix 08-02-25.3 - user 2008-03-01 1:13:39.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.423 [GMT 8:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\Documents and Settings\user\Application Data\macromedia\Flash Player\#SharedObjects\AQTWRMC6\iforex.com
C:\Documents and Settings\user\Application Data\macromedia\Flash Player\#SharedObjects\AQTWRMC6\iforex.com\Emerp\Events\flash_object.swf\user_data.sol
C:\Documents and Settings\user\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
C:\Documents and Settings\user\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol
C:\Documents and Settings\user\ravmonlog
C:\Program Files\Common Files\{F434D~1
C:\WINDOWS\system32\components
C:\WINDOWS\system32\kavo0.dll
C:\WINDOWS\system32\kavo1.dll
D:\Autorun.inf
E:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-01-28 to 2008-02-29 )))))))))))))))))))))))))))))))
.

2008-02-27 14:45 . 2008-02-27 23:46 112,168 -r-hs---- C:\h2.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-29 17:15 13,627,424 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-29 17:09 --------- d-----w C:\Program Files\TuneUp Utilities 2006
2008-02-29 15:09 162,044 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-29 06:17 --------- d-----w C:\Documents and Settings\user\Application Data\AVG7
2008-02-22 16:32 --------- d-----w C:\Program Files\Zappit
2008-02-22 04:37 --------- d-----w C:\Program Files\Winamp
2008-02-18 17:01 --------- d-----w C:\Program Files\BitComet
2008-01-31 11:30 17,704,844 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-01-21 16:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-16 05:15 --------- d-----w C:\Documents and Settings\Guest\Application Data\AVG7
2007-04-17 10:01 7,896,769 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_04_17_00_56_37_full.dmp.zip
2007-04-16 14:52 5,543,749 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_04_16_22_35_18_full.dmp.zip
2006-10-28 12:31 109,877 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2006_10_28_20_08_30_small.dmp.zip
2006-10-27 12:39 110,006 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2006_10_27_20_26_38_small.dmp.zip
2006-10-08 06:55 110,590 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2006_10_08_04_58_26_small.dmp.zip
2006-10-07 12:52 109,436 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2006_10_07_18_12_06_small.dmp.zip
2006-09-28 14:30 109,222 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2006_09_28_14_08_46_small.dmp.zip
2006-09-26 11:12 107,311 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2006_09_26_09_16_43_small.dmp.zip
2006-08-26 01:34 97,872 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2006_08_26_00_11_04_small.dmp.zip
2006-08-17 07:05 101,999 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2006_08_17_14_11_25_small.dmp.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2007-12-18 20:41 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{E0E899AB-F487-11D5-8D29-0050BA6940E3}
{DB87BFA2-A2E3-451E-8E5A-C89982D87CBF}
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2007-12-18 20:41 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TuneUp MemOptimizer"="C:\Program Files\TuneUp Utilities 2006\MemOptimizer.exe" [2005-09-21 22:34 294912]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2002-10-12 21:00 294912]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20 866584]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-02 13:42 579072]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 13:45 36040]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 17:15 1634304]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-27 08:07 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Run Google Web Accelerator.lnk - C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe [2007-07-09 22:24:38 1134592]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{F434D803-0960-1033-1122-050212090001}"= "C:\Program Files\Common Files\{F434D803-0960-1033-1122-050212090001}\Update.exe" mc-110-12-0000272

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winzwr32]
winzwr32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
C:\Program Files\ICQLite\ICQLite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-03 22:32 208952 C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-03 22:32 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-03 22:32 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-02-16 10:54 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RaidTool]
-ra------ 2005-04-27 03:22 589824 C:\Program Files\VIA\RAID\raid_tool.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
--a------ 2006-06-26 15:53 20005928 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-07-15 23:06 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"PCSuiteTrayApplication"=C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"D:\\warcraft\\Warcraft III.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8089:TCP"= 8089:TCP:BitComet 8089 TCP
"8089:UDP"= 8089:UDP:BitComet 8089 UDP
"25653:TCP"= 25653:TCP:BitComet 25653 TCP
"25653:UDP"= 25653:UDP:BitComet 25653 UDP
"6889:TCP"= 6889:TCP:BitComet 6889 TCP
"6889:UDP"= 6889:UDP:BitComet 6889 UDP
"13477:TCP"= 13477:TCP:BitComet 13477 TCP
"13477:UDP"= 13477:UDP:BitComet 13477 UDP
"19005:TCP"= 19005:TCP:BitComet 19005 TCP
"19005:UDP"= 19005:UDP:BitComet 19005 UDP
"17520:TCP"= 17520:TCP:NortonAV
"13396:TCP"= 13396:TCP:NortonAV

R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2007-04-19 20:37]
R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2f127fab-1664-11db-b447-0015f2bd3402}]
\Shell\AutoRun\command - J:\h2.com
\Shell\explore\Command - J:\h2.com
\Shell\open\Command - J:\h2.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aadfc066-604c-11dc-b702-0015f2bd3402}]
\Shell\Auto\command - MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c596a470-e4f6-11dc-abb6-0015f2bd3402}]
\Shell\AutoRun\command - J:\h2.com
\Shell\explore\Command - J:\h2.com
\Shell\open\Command - J:\h2.com

.
Contents of the 'Scheduled Tasks' folder
"2008-02-22 09:17:28 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe
"2008-02-24 10:01:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-29 16:46:52 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-02-29 15:26:55 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-02-29 15:24:32 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-01 01:15:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\TuneUp Utilities 2006\WinStylerThemeHelper.dll

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\Program Files\TuneUp Utilities 2006\WinStylerThemeHelper.dll

PROCESS: C:\WINDOWS\system32\csrss.exe
-> C:\Program Files\TuneUp Utilities 2006\WinStylerThemeHelper.dll
.
Completion time: 2008-03-01 1:16:49
ComboFix-quarantined-files.txt 2008-02-29 17:16:45
.
2008-02-29 15:09:15 --- E O F ---

Attached Files



#3 MercyLam

MercyLam
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 06 March 2008 - 11:43 AM

Sorry but had anyone analyze my log.
I just need any form of reply to as whether anyone had notice this log..

#4 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:02:35 PM

Posted 17 March 2008 - 09:42 PM

Hello MercyLam


Apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so I can have a look at the current condition of your machine.

Thanks and again sorry for the delay.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.


Next
Please do an online scan with Kaspersky WebScanner

Click on Accept Button

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


#5 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:02:35 PM

Posted 26 March 2008 - 06:47 PM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users