Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I have been infected. plaease analyze HJT log


  • This topic is locked This topic is locked
2 replies to this topic

#1 mishrashubham2007

mishrashubham2007

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 21 July 2009 - 08:09 AM

I scanned my pc with Symantec AV and foung trojans. Some were deleted, some were quarantined. Here is HJT log.Also there is the list of quarantined items beneath it. Please help on what to fix. Thank you very much




HJT log



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:32:05 PM, on 7/21/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intense Language Office\COMMON\Offman.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\user\Application Data\U3\0E81FA60F0005AF8\LaunchPad.exe
F:\data\e\Personal Folder\Shubham\Extras\install\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Intense Registry Service] IntEdReg.exe /CHECK
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [ILO_Office_Manager] IntEdReg.exe /OFFMAN
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 4864 bytes



Quarantined items


Risk Filename Original Location Status Date
Trojan Horse APQ8.tmp C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\ Infected 7/21/2009 15:52
Trojan Horse ?????? ?????? Infected 7/21/2009 15:40
Backdoor.Trojan A0025017.exe C:\System Volume Information\_restore{5F1637FF-8236-4369-96DE-EBC88FC8BA49}\RP63\ Infected 7/20/2009 15:37
Backdoor.IRC.Bot A0025016.exe C:\System Volume Information\_restore{5F1637FF-8236-4369-96DE-EBC88FC8BA49}\RP63\ Infected 7/20/2009 15:37
W32.SillyFDC A0025015.exe C:\System Volume Information\_restore{5F1637FF-8236-4369-96DE-EBC88FC8BA49}\RP63\ Infected 7/20/2009 15:37
Trojan Horse A0025012.exe C:\System Volume Information\_restore{5F1637FF-8236-4369-96DE-EBC88FC8BA49}\RP63\ Infected 7/20/2009 15:36
Trojan Horse A0025013.exe C:\System Volume Information\_restore{5F1637FF-8236-4369-96DE-EBC88FC8BA49}\RP63\ Infected 7/20/2009 15:36
W32.SillyFDC A0025011.exe C:\System Volume Information\_restore{5F1637FF-8236-4369-96DE-EBC88FC8BA49}\RP63\ Infected 7/20/2009 15:36
W32.SillyFDC A0025010.exe C:\System Volume Information\_restore{5F1637FF-8236-4369-96DE-EBC88FC8BA49}\RP63\ Infected 7/20/2009 15:36
Trojan Horse A0025009.exe C:\System Volume Information\_restore{5F1637FF-8236-4369-96DE-EBC88FC8BA49}\RP63\ Infected 7/20/2009 15:35
Backdoor.Trojan A0025008.exe C:\System Volume Information\_restore{5F1637FF-8236-4369-96DE-EBC88FC8BA49}\RP63\ Infected 7/20/2009 15:35
W32.SillyFDC A0025007.exe C:\System Volume Information\_restore{5F1637FF-8236-4369-96DE-EBC88FC8BA49}\RP63\ Infected 7/20/2009 15:35
Backdoor.Trojan A0025006.exe C:\System Volume Information\_restore{5F1637FF-8236-4369-96DE-EBC88FC8BA49}\RP63\ Infected 7/20/2009 15:35
W32.SillyFDC A0025005.exe C:\System Volume Information\_restore{5F1637FF-8236-4369-96DE-EBC88FC8BA49}\RP63\ Infected 7/20/2009 15:35
Backdoor.Trojan A0025004.exe C:\System Volume Information\_restore{5F1637FF-8236-4369-96DE-EBC88FC8BA49}\RP63\ Infected 7/20/2009 15:34
Trojan Horse A0025003.exe C:\System Volume Information\_restore{5F1637FF-8236-4369-96DE-EBC88FC8BA49}\RP63\ Infected 7/20/2009 15:34
W32.SillyFDC A0025002.exe C:\System Volume Information\_restore{5F1637FF-8236-4369-96DE-EBC88FC8BA49}\RP63\ Infected 7/20/2009 15:34
Trojan Horse A0025001.exe C:\System Volume Information\_restore{5F1637FF-8236-4369-96DE-EBC88FC8BA49}\RP63\ Infected 7/20/2009 15:33
Trojan Horse A0024963.exe C:\System Volume Information\_restore{5F1637FF-8236-4369-96DE-EBC88FC8BA49}\RP63\ Infected 7/20/2009 15:33
W32.SillyFDC A0024961.EXE C:\System Volume Information\_restore{5F1637FF-8236-4369-96DE-EBC88FC8BA49}\RP63\ Infected 7/20/2009 15:33
Backdoor.Trojan A0024960.EXE C:\System Volume Information\_restore{5F1637FF-8236-4369-96DE-EBC88FC8BA49}\RP63\ Infected 7/20/2009 15:32
Trojan Horse A0024905.exe C:\System Volume Information\_restore{5F1637FF-8236-4369-96DE-EBC88FC8BA49}\RP62\ Infected 7/20/2009 15:32
Backdoor.Trojan A0024903.exe C:\System Volume Information\_restore{5F1637FF-8236-4369-96DE-EBC88FC8BA49}\RP62\ Infected 7/20/2009 15:32
Backdoor.IRC.Bot A0024898.exe C:\System Volume Information\_restore{5F1637FF-8236-4369-96DE-EBC88FC8BA49}\RP62\ Infected 7/20/2009 15:32
Trojan Horse A0022776.exe C:\System Volume Information\_restore{5F1637FF-8236-4369-96DE-EBC88FC8BA49}\RP61\ Infected 7/20/2009 15:32
Backdoor.Trojan A0022732.exe C:\System Volume Information\_restore{5F1637FF-8236-4369-96DE-EBC88FC8BA49}\RP61\ Infected 7/20/2009 15:32
Backdoor.Trojan A0022653.exe C:\System Volume Information\_restore{5F1637FF-8236-4369-96DE-EBC88FC8BA49}\RP61\ Infected 7/20/2009 15:31
Trojan Horse A0022489.exe C:\System Volume Information\_restore{5F1637FF-8236-4369-96DE-EBC88FC8BA49}\RP60\ Infected 7/20/2009 15:31
Backdoor.IRC.Bot APQ3.tmp C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\ Infected 7/20/2009 15:25
Backdoor.IRC.Bot APQF.tmp C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\ Infected 7/20/2009 15:25
Backdoor.IRC.Bot APQ4.tmp C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\ Infected 7/20/2009 15:25
Backdoor.IRC.Bot APQD.tmp C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\ Infected 7/20/2009 15:24
Backdoor.IRC.Bot APQ2.tmp C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\ Infected 7/20/2009 15:24
Backdoor.IRC.Bot APQE.tmp C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\ Infected 7/20/2009 15:24
Backdoor.IRC.Bot APQ1.tmp C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\ Infected 7/20/2009 15:24
Backdoor.IRC.Bot APQ10.tmp C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\ Infected 7/20/2009 15:23
Backdoor.IRC.Bot APQB.tmp C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\ Infected 7/20/2009 15:23
Backdoor.IRC.Bot APQ9.tmp C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\ Infected 7/20/2009 15:23
Suspicious.MH690 C6N3T7~1.EXE C:\DOCUME~1\user\ Infected 7/19/2009 21:01
Trojan Horse D2G8J4~1.EXE C:\DOCUME~1\user\ Infected 7/19/2009 21:01
Trojan Horse dy44n4.exe C:\DOCUME~1\user\ Infected 7/19/2009 21:01
Trojan Horse L8Q8A6~1.EXE C:\DOCUME~1\user\ Infected 7/19/2009 21:00
Trojan Horse DC1.EXE C:\RECYCLED\ Infected 7/19/2009 20:56
Trojan Horse DEW.exe C:\REMOVA~1\DEVICE\ Infected 7/19/2009 15:36
Suspicious.MH690 UPCDATE.EXE C:\DOCUME~1\user\ Infected 7/18/2009 16:47
Suspicious.MH690 OGWE2_~1.AVI C:\DOCUME~1\user\LOCALS~1\TEMPOR~1\CONTENT.IE5\KD41AJWZ\ Infected 7/18/2009 16:47
Suspicious.MH690 Y2F5L7~1.EXE C:\DOCUME~1\user\ Infected 7/18/2009 16:47
Suspicious.MH690 UPCDATE.EXE C:\DOCUME~1\user\ Infected 7/18/2009 15:42
Suspicious.MH690 OGWE2_~1.AVI C:\DOCUME~1\user\LOCALS~1\TEMPOR~1\CONTENT.IE5\KD41AJWZ\ Infected 7/18/2009 15:42
Suspicious.MH690 Y2F5L7~1.EXE C:\DOCUME~1\user\ Infected 7/18/2009 15:42
Suspicious.MH690 OGWE2_~1.AVI C:\DOCUME~1\user\LOCALS~1\TEMPOR~1\CONTENT.IE5\KD41AJWZ\ Infected 7/18/2009 15:41
ErrorDoctor A0021864.exe F:\System Volume Information\_restore{5F1637FF-8236-4369-96DE-EBC88FC8BA49}\RP55\ Infected 6/27/2009 10:00
Trojan Horse A0001523.exe F:\System Volume Information\_restore{5F1637FF-8236-4369-96DE-EBC88FC8BA49}\RP10\ Infected 6/27/2009 10:00

BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:02:33 PM

Posted 31 July 2009 - 04:34 PM

Hello and welcome to Bleeping Computer.

My name is Syler, I will be helping you to solve your Malware issues. Whilst I am helping you, I would
be grateful if you would note the following:
  • Please do not run other tools or scans unless I ask you to and follow all the steps I give you, in order.
  • Copy and paste all logs requested in you reply, Do not attach them unless asked too.
  • If you don't know or understand something, please don't hesitate to say or ask before you proceed with my instructions.
  • Please continue to work with me, until I tell you your machine appears to be clean. Absence of symptoms does not mean that everything is clear.
  • If I do not hear back from you within 5 days of my last post, then this topic will be closed.

Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Then please post back here with the following:
  • MBAM log
  • log.txt
  • info.txt
Thanks

unite.jpg


#3 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:02:33 PM

Posted 04 August 2009 - 06:14 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users