Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Hijackthis Log File


  • This topic is locked This topic is locked
34 replies to this topic

#1 Shahin

Shahin

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 24 September 2006 - 12:58 PM

A few days ago, I saw the message "your computer is in danger" and understood my computer is infected. After that, I downloaded SpyRemover and HijackThis programmes. I scanned my computer with both of the programmes, and I deleted some files, which I thought is not important and deleting won't be dangerous. And so, my final scan results are here...

What can I do now? How can I remove the viruses from my computer totally?..



Logfile of HijackThis v1.99.1
Scan saved at 18:46:31, on 24.09.2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\WINDOWS\System32\spoolsvv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\šatlat\patlat.exe

F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00007.exe"
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\ntos.exe,
O2 - BHO: IDN Helper Object - {118CE65F-5D86-4AEA-A9BD-94F92B89119F} - C:\WINDOWS\DOWNLO~1\CNSMIN~1.DLL
O2 - BHO: SafeGuard Protect PCShield - {564FFB73-9EEF-4969-92FA-5FC4A92E2C2A} - C:\WINDOWS\System32\sfg_7c8e.dll
O3 - Toolbar: &Radyo - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\System32\spoolsvv.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\testtestt.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00007.exe"
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users.WINDOWS\Belgeler\Settings\artm_new.dll
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - (no file)
O21 - SSODL: cvFZzs - {5440B29C-FEEA-1836-C1DF-BBF873B65C20} - C:\WINDOWS\System32\jyrt.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


BC AdBot (Login to Remove)

 


m

#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:10:38 PM

Posted 24 September 2006 - 02:17 PM

Hello Shahin, and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.

Please take note of the following:
  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
Please give me some time to look over your log and I will get back to you as soon as possible.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 Shahin

Shahin
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 25 September 2006 - 08:29 AM

Thanks for answer :thumbsup:

I downloaded anti-virus programmes and they deleted some viruses. Here's my new HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 16:07:15, on 25.09.2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programlar\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\spoolsvv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programlar\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\šatlat\patlat.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\ntos.exe,
O2 - BHO: IDN Helper Object - {118CE65F-5D86-4AEA-A9BD-94F92B89119F} - C:\WINDOWS\DOWNLO~1\CNSMIN~1.DLL
O2 - BHO: SafeGuard Protect PCShield - {564FFB73-9EEF-4969-92FA-5FC4A92E2C2A} - C:\WINDOWS\System32\sfg_7c8e.dll (file missing)
O3 - Toolbar: &Radyo - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [!ewido] "C:\Programlar\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\System32\spoolsvv.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\testtestt.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00007.exe"
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users.WINDOWS\Belgeler\Settings\artm_new.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users.WINDOWS\Belgeler\Settings\winsys2f.dll
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - (no file)
O21 - SSODL: cvFZzs - {5440B29C-FEEA-1836-C1DF-BBF873B65C20} - C:\WINDOWS\System32\jyrt.dll (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programlar\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


By the way, my internet connection sends and receives all the time, though I don't surf internet or download anything. Two days ago it shows I downloaded 3,5 GB this month from internet, but one day later it shows 4 GB. But I'm sure I didn't downloaded 500 MB in one day. This problem is because of viruses?

#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:10:38 PM

Posted 25 September 2006 - 03:14 PM

Hello Shahin, sorry for the delay in getting back to you.

======

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.

======

Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#5 Shahin

Shahin
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 26 September 2006 - 08:12 AM

I don't have important passwords on my computer.

My yahoo, hotmail, outlook and message board passwords can be stolen?
I sometimes do some bank procedure on internet explorer, using my bank account password and number, without format is it dangerous now?
After format, my computer will be totally clean?
When I do format later, is there a risk for my files will some of them be deleted?

I think I'll format one month later. So, I would like you to attempt to clean my computer, please :thumbsup: . I'll be happy.

#6 Shahin

Shahin
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 26 September 2006 - 10:31 AM

By the way, Ewido found "Proxy.Agent.Ji", "Downloader.Delf.aww" and "Proxy.Xorpix.ao" but couldn't quarantine.

Proxy.Agent.ji : [1072]C:/Windows/comdlj32.dll
[1272]C:/Windows/comdlj32.dll
[1496]C:/Windows/comdlj32.dll
[1504]C:/Windows/comdlj32.dll
[1596]C:/Windows/comdlj32.dll
[1668]C:/Windows/comdlj32.dll
[1732]C:/Windows/comdlj32.dll
[1792]C:/Windows/comdlj32.dll
[1872]C:/Windows/comdlj32.dll
[1896]C:/Windows/comdlj32.dll
[488]C:/Windows/comdlj32.dll
[556]C:/Windows/comdlj32.dll
[568]C:/Windows/comdlj32.dll
[724]C:/Windows/comdlj32.dll
[748]C:/Windows/comdlj32.dll
[864]C:/Windows/comdlj32.dll
[916]C:/Windows/comdlj32.dll
[952]C:/Windows/comdlj32.dll
[980]C:/Windows/comdlj32.dll
C:/Windows/__delete_on_reboot__c_o_m_d_l_j_3_2_._d_l_l_

Downloader.Delf.aww : [1544]VM_14D00000
[2180]VM_14D00000
[3476]VM_14D00000
[440]VM_14D00000
[4]VM_14D00000

Proxy.Xorpix.ao : [512]C:/Documents and Settings/All Users.WINDOWS/Belgeler/Settings/winsys2f.dll


Can I delete them? Or deleting them can be dangerous for computer?

#7 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:10:38 PM

Posted 26 September 2006 - 12:03 PM

Hello Shahin, sorry for the delay in getting back to you.

I don't have important passwords on my computer.

My yahoo, hotmail, outlook and message board passwords can be stolen?
I sometimes do some bank procedure on internet explorer, using my bank account password and number, without format is it dangerous now?
After format, my computer will be totally clean?
When I do format later, is there a risk for my files will some of them be deleted?

Yes, it is dangerous if you do online banking on your computer, you have a trojan that can steal your passwords, and record everything you type, so basically they can access your account etc. That's why I suggested the reformat, that is probably the only way that you are pretty much guaranteed to be safe.
Your files will be okay, as long as you back them up beforehand, like save them to a CD so you can transfer them back when you have completed it.

======

I think I'll format one month later. So, I would like you to attempt to clean my computer, please . I'll be happy.

Do you mean that you are going to reformat after I have tried to clean your computer? This, to me, sounds a bit strange, if you are only going to reformat after I have tried to help you? It would be much better if you chose to either follow my advice, or reformat. Not both.

=======

Before we start with the fix, I see that you are using an unpatched version of Windows. We can help you, but first you need to help us.
Any reason why your windows isn't up to date? You don't have even ServicePack1 installed!
Remember that your system is extremely vulnerable without the necessary security patches/updates, so malware can get installed automatically while surfing without any problems.
Please visit http://www.microsoft.com/windowsxp/downloa...p1/network.mspx and update to Service Pack 1. Without this update, you're wide open to re-infection, and we're both just wasting our time.
When your system is clean afterwards, then update to SP2, because updating to SP2 CAN cause problems as long as you are infected.

=======

Open HijackThis
- Click the Config... button, then go to the Misc Tools section.
- Click on Open Uninstall Manager. You'll see a list of programs.
- Click on Save List...

The file "uninstall_list.txt" will be created. Copy and paste the contents of this file to your next reply.

======

Please update Windows and then post me back a new Hijackthis log, along with the uninstall list.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#8 Shahin

Shahin
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 29 September 2006 - 08:25 AM

I think I'll format one month later. So, I would like you to attempt to clean my computer, please . I'll be happy.

Do you mean that you are going to reformat after I have tried to clean your computer? This, to me, sounds a bit strange, if you are only going to reformat after I have tried to help you? It would be much better if you chose to either follow my advice, or reformat. Not both.

I meant I can't format now, because I can't burn my files to CDs. So I choose to clean my computer.

And the link is not working.

#9 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:10:38 PM

Posted 02 October 2006 - 11:01 AM

Sorry for the delay- I went away for a while...
I didn't realise that Microsoft have stopped providing Service Pack 1 downloads, so get it instead from http://www.download.com/Windows-XP-Service...ml?tag=lst-0-19 please. Also do the uninstall list...
Thanks,
Charles

Edited by rookie147, 02 October 2006 - 11:40 AM.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#10 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:10:38 PM

Posted 16 October 2006 - 12:04 PM

Due to lack of feedback, this topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#11 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:10:38 PM

Posted 17 October 2006 - 02:13 PM

Re-opened. Can you carry on with the steps I told you in my last post, please?
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#12 Shahin

Shahin
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 20 October 2006 - 08:09 AM

So sorry, I couldn't replied because my computer was infected 2 more times again.

Sorry for the delay- I went away for a while...
I didn't realise that Microsoft have stopped providing Service Pack 1 downloads, so get it instead from http://www.download.com/Windows-XP-Service...ml?tag=lst-0-19 please. Also do the uninstall list...
Thanks,
Charles

It's not working because:
"Setup cannot update your Windows XP files because the language installed on your system is different from the update language."
I downloaded Turkish Service Pack 1 but it gave error, too.
"Setup could not verify the integrity of the file Update.inf. Make sure the Cryptographic service is running on this computer."

#13 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:10:38 PM

Posted 20 October 2006 - 09:57 AM

Hey Shahin,
Take a look here, this is a tutorial for what to do if you get this error message when trying to update Windows. Let me know if this helps, and if so proceed with my steps... :thumbsup:
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#14 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:10:38 PM

Posted 27 October 2006 - 07:48 AM

Due to lack of feedback, this topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#15 acklan

acklan

    Bleepin' cat's meow


  • Members
  • 8,529 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Baton Rouge, La.
  • Local time:03:38 PM

Posted 29 October 2006 - 05:05 PM

Due to lack of feedback, this topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Re-openned at the member's request.


Moderator ~acklan~
"2007 & 2008 Windows Shell/User Award"




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users