|
| ||
| Need help! Please analyze my HJT log! Original thread, but still not 100% unresolved. http://www.daniweb.com/techtalkforums/thread46853.html Here is the latest log: Logfile of HijackThis v1.99.1 Scan saved at 2:48:06 PM, on 10/06/06 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\RUNDLL32.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\SYSTEM\PSTORES.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\WINDOWS\TEMP\WZ7351\HIJACKTHIS.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\SYSTEM\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O5 "LPT1:" /M "Stylus C62" O4 - HKLM\..\Run: [BlockChecker] C:\PROGRAM FILES\BLOCK CHECKER\block-checker.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE" O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YAHOOMESSENGER.EXE O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YAHOOMESSENGER.EXE O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...9x/AvSniff.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab Thank you Chris |
| ||
| Re: Need help! Please analyze my HJT log! Hi, Perform an online virus scan at Kaspersky Online Scanner (Click the "Kaspersky Online Scanner" button). Save the log it gives after the scan. Run HijackThis again, click Do a System scan and save log, and post the fresh log along with the Kaspersky log. |
| ||
| Re: Need help! Please analyze my HJT log! Thank you - took a few attempts because Kaspersky kept shutting down, but finally worked. Here is the Kaspersky log: <><><><><><><><><><><><><><><><><><><><><><> Sunday, June 11, 2006 6:48:03 PM Operating System: Microsoft Windows 98 SE Kaspersky On-line Scanner version: 5.0.78.0 Kaspersky Anti-Virus database last update: 11/06/2006 Kaspersky Anti-Virus database records: 187913 Scan SettingsScan using the following antivirus databasestandardScan ArchivestrueScan Mail BasestrueScan TargetMy Computera:\ c:\ d:\ e:\ Scan StatisticsTotal number of scanned objects44028Number of viruses found23Number of infected objects60Number of suspicious objects2Duration of the scan process02:25:24 Infected Object NameVirus NameLast Actionc:\WINDOWS\TEMP\iinstall.exe Infected: Trojan-Downloader.Win32.IstBar.pe skipped c:\WINDOWS\TEMP\optimize.exe Infected: Trojan-Downloader.Win32.Dyfuca.ei skipped c:\WINDOWS\TEMP\!update.exe Infected: Trojan-Downloader.Win32.PurityScan.cl skipped c:\WINDOWS\TEMP\tsinstall_4_0_4_0_b4.exe/WISE0009.BIN Infected: Trojan-Downloader.Win32.TSUpdate.n skipped c:\WINDOWS\TEMP\tsinstall_4_0_4_0_b4.exe/WISE0010.BIN Infected: Trojan-Downloader.Win32.TSUpdate.p skipped c:\WINDOWS\TEMP\tsinstall_4_0_4_0_b4.exe/WISE0011.BIN Infected: Trojan-Downloader.Win32.TSUpdate.l skipped c:\WINDOWS\TEMP\tsinstall_4_0_4_0_b4.exe/WISE0012.BIN Infected: Trojan-Downloader.Win32.TSUpdate.f skipped c:\WINDOWS\TEMP\tsinstall_4_0_4_0_b4.exe WiseSFX: infected - 4 skipped c:\WINDOWS\Desktop\Program Files\General Programs\sysguardfull.exe/stream/data0016 Infected: Trojan-Downloader.Win32.Reqlook.d skipped c:\WINDOWS\Desktop\Program Files\General Programs\sysguardfull.exe/stream Infected: Trojan-Downloader.Win32.Reqlook.d skipped c:\WINDOWS\Desktop\Program Files\General Programs\sysguardfull.exe NSIS: infected - 2 skipped c:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC3.zip/MTE3NDI6ODoxNg.exe Suspicious: Password-protected-EXE skipped c:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC3.zip ZIP: suspicious - 1 skipped c:\WINDOWS\Downloaded Program Files\YSBactivex.dll Infected: Trojan-Downloader.Win32.IstBar.gen skipped c:\WINDOWS\Downloaded Program Files\istactivex.dll Infected: Trojan-Downloader.Win32.IstBar.gen skipped c:\WINDOWS\ms05275121909.exe Infected: Trojan-Downloader.Win32.VB.tw skipped c:\WINDOWS\visfx500.exe Infected: Trojan-Dropper.Win32.Agent.aie skipped c:\WINDOWS\pf78.exe/data0002 Infected: Trojan-Downloader.Win32.VB.tw skipped c:\WINDOWS\pf78.exe/data0003 Infected: Trojan.Win32.VB.tg skipped c:\WINDOWS\pf78.exe/data0006 Infected: Trojan.Win32.VB.tg skipped c:\WINDOWS\pf78.exe/data0007 Infected: Trojan.Win32.VB.tg skipped c:\WINDOWS\pf78.exe NSIS: infected - 4 skipped c:\WINDOWS\pms111x.exe Infected: Trojan-Downloader.Win32.VB.tw skipped c:\WINDOWS\SYSC00.exe Infected: Trojan.Win32.VB.tg skipped c:\WINDOWS\uni_eh.exe Infected: Trojan.Win32.VB.tg skipped c:\WINDOWS\unin101.exe Infected: Trojan.Win32.VB.tg skipped c:\WINDOWS\sys02909275121.exe Infected: Trojan-Downloader.Win32.VB.tw skipped c:\WINDOWS\sys011909275122006.exe Infected: Trojan-Downloader.Win32.VB.tw skipped c:\WINDOWS\sys09219092751.exe Infected: Trojan-Downloader.Win32.VB.tw skipped c:\WINDOWS\drsmartload45a.exe Infected: Trojan-Downloader.Win32.Adload.bo skipped c:\WINDOWS\drsmartload46a.exe Infected: Trojan-Downloader.Win32.Adload.bo skipped c:\WINDOWS\drsmartload849a.exe Infected: Trojan-Downloader.Win32.Adload.bo skipped c:\WINDOWS\sys01190927512.exe Infected: Trojan-Downloader.Win32.VB.tw skipped c:\WINDOWS\ms049275121902006.exe Infected: Trojan-Downloader.Win32.VB.tw skipped c:\Program Files\Common Files\rmkw\rmkwm.exe Infected: Trojan-Downloader.Win32.TSUpdate.n skipped c:\Program Files\Common Files\rmkw\rmkwl.exe Infected: Trojan-Downloader.Win32.TSUpdate.p skipped c:\Program Files\Common Files\rmkw\rmkwa.exe Infected: Trojan-Downloader.Win32.TSUpdate.l skipped c:\My Documents\oucm\rundll32.exe Infected: Trojan-Downloader.Win32.PurityScan.cl skipped c:\Backup\IM\Identities\{2F851300-4E66-11D7-857F-0090D041CBE4}\Message Store\Attachments\09_PRICE.ZIP/text.exe Infected: Email-Worm.Win32.Bagle.cy skipped c:\Backup\IM\Identities\{2F851300-4E66-11D7-857F-0090D041CBE4}\Message Store\Attachments\09_PRICE.ZIP ZIP: infected - 1 skipped c:\Backup\IM\Identities\{2F851300-4E66-11D7-857F-0090D041CBE4}\Message Store\Attachments\ATT1394.EML/[From "ursula abel" ][Date Wed, 30 Jan 2002 20:03:27 -0500]/TryThis.exe Infected: not-virus:BadJoke.Win32.Stupen.c skipped c:\Backup\IM\Identities\{2F851300-4E66-11D7-857F-0090D041CBE4}\Message Store\Attachments\ATT1394.EML Mail: infected - 1 skipped c:\My Shared Folder\music from klite\Quicktime Multilang4.exe Infected: Trojan-Downloader.Win32.Small.jl skipped c:\!KillBox\ms05275121909.exe Infected: Trojan-Downloader.Win32.VB.tw skipped c:\!KillBox\sys01190927512.exe Infected: Trojan-Downloader.Win32.VB.tw skipped c:\!KillBox\sys09219092751.exe Infected: Trojan-Downloader.Win32.VB.tw skipped c:\!KillBox\SYSC00.exe Infected: Trojan.Win32.VB.tg skipped c:\!KillBox\sys02909275121.exe Infected: Trojan-Downloader.Win32.VB.tw skipped c:\!KillBox\block-checker.exe Infected: IM-Worm.Win32.Chiem.a skipped c:\!KillBox\block-checker.exe( 1) Infected: IM-Worm.Win32.Chiem.a skipped c:\!KillBox\ms05275121909.exe( 1) Infected: Trojan-Downloader.Win32.VB.tw skipped c:\!KillBox\sys01190927512.exe( 2) Infected: Trojan-Downloader.Win32.VB.tw skipped c:\!KillBox\sys09219092751.exe( 3) Infected: Trojan-Downloader.Win32.VB.tw skipped c:\!KillBox\SYSC00.exe( 4) Infected: Trojan.Win32.VB.tg skipped c:\!KillBox\sys02909275121.exe( 5) Infected: Trojan-Downloader.Win32.VB.tw skipped c:\!KillBox\block-checker.exe( 6) Infected: IM-Worm.Win32.Chiem.a skipped c:\defender24.exe Infected: Trojan-Clicker.Win32.VB.ly skipped c:\keyboard24.exe Infected: Backdoor.Win32.VB.ary skipped c:\newname24.exe Infected: Trojan-Downloader.Win32.VB.adw skipped c:\Trelew.exe/data0006 Infected: Trojan-Dropper.Win32.VB.mz skipped c:\Trelew.exe NSIS: infected - 1 skipped c:\SS1001.exe Infected: Trojan-Dropper.Win32.Small.qn skipped Scan process completed. <><><><><><><><><><><><><><><><><><><><><><> Logfile of HijackThis v1.99.1 Scan saved at 6:49:18 PM, on 11/06/06 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\RUNDLL32.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\WINDOWS\TEMP\WZ7351\HIJACKTHIS.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\SYSTEM\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O5 "LPT1:" /M "Stylus C62" O4 - HKLM\..\Run: [BlockChecker] C:\PROGRAM FILES\BLOCK CHECKER\block-checker.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE" O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YAHOOMESSENGER.EXE O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YAHOOMESSENGER.EXE O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...9x/AvSniff.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.tbcode.com/ist/softwares/...06_regular.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...bscan_ansi.cab <><><><><><><><><><><><><><><><><><><><><><><> Thats all.......thank you for your analysis and advice. Chris |
| ||
| Re: Need help! Please analyze my HJT log! Hi, Open NotePad and copy the contents of the below "Quote" box to it:- Quote:
Download CCleaner and install it. Do not run it now! Open My Computer, then C:\ In the menu bar, File->New->Folder. That will create a folder named New Folder, which you can rename to "BFU" Please download Brute Force Uninstaller to your desktop.
Save it in the same folder you made earlier (c:\BFU). Do not run the Uninstaller and the Remover yet. Reboot in Safe Mode:- Restart (or switch ON) the PC. Then, keep tapping the F8 Key. From the menu that will be displayed, out of which choose Safe Mode and press Enter. Open My Computer and navigate to the c:\BFU folder.
Run HijackThis and click Do only a System scan. Then put a check mark infront of below listed entries:- O4 - HKLM\..\Run: [BlockChecker] C:\PROGRAM FILES\BLOCK CHECKER\block-checker.exe Close all other open programs except Hijackthis and click the button Fix Checked in HijackThis. Run CCleaner, click "Options" button and here go to "Advanced" tab and uncheck the option "Only delete files in Windows Temp folder older than 48 hours". Click OK to exit from the Options. Finally click "Run Cleaner" and click "OK" to continue cleaning. Double-Click on the Test.BAT. A DOS type window should open and close immediately. After this, delete these folders, if found:- c:\Program Files\Common Files\rmkw c:\My Documents\oucm Delete these files:- c:\Backup\IM\Identities\{2F851300-4E66-11D7-857F-0090D041CBE4}\Message Store\Attachments\09_PRICE.ZIP c:\Backup\IM\Identities\{2F851300-4E66-11D7-857F-0090D041CBE4}\Message Store\Attachments\ATT1394.EML c:\My Shared Folder\music from klite\Quicktime Multilang4.exe Reboot to Normal Mode. Download WinPFind.ZIP and completely extract it to a folder. Then run WinPFind.exe and click "Start Scan". When the scan completes, click "Copy to Clipboard" button to copy the log it gives, and please post it here along with a new HijackThis log. |