|
|
#1
29th Aug 2009, 08:54
|
|||
|
|||
|
hi . i took this hijack log because i am pretty sure i have a virus or some trjoan etc
plz look at it and help . Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 20:20:21, on 29/08/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\csrss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\system32\svchost.exe D:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe D:\WINDOWS\Explorer.EXE D:\WINDOWS\System32\alg.exe D:\WINDOWS\system32\servises.exe D:\WINDOWS\system32\servises.exe D:\WINDOWS\system32\servises.exe D:\WINDOWS\system32\servises.exe D:\WINDOWS\system32\taskmgr.exe D:\Program Files\Mozilla Firefox\firefox.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\wscntfy.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\system32\svchost.exe D:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE D:\WINDOWS\System32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\Program Files\Trend Micro\HijackThis\HijackThis.exe D:\WINDOWS\system32\wbem\wmiprvse.exe O2 - BHO: (no name) - {0F018781-A7BA-45D5-9419-34577F88BBD6} - D:\WINDOWS\system32\bnfncanb.dll O2 - BHO: (no name) - {1DD0AB98-AF24-4DA2-9F4F-F45D7F6F1ACe} - D:\WINDOWS\system32\bnfncanb.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - D:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: (no name) - {816D04B7-0512-4375-A88C-ADD62987FFA6} - d:\windows\system32\qrbfjbx.dll O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - D:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\s wg.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - D:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O4 - HKLM\..\Run: [2124] D:\WINDOWS\system32\D.tmp.exe O4 - HKLM\..\Run: [servises] D:\WINDOWS\system32\servises.exe O4 - HKLM\..\Run: [reader_s] D:\WINDOWS\System32\reader_s.exe O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe O4 - HKCU\..\Run: [cdoosoft] D:\DOCUME~1\Mohi\LOCALS~1\Temp\olhrwef.exe O4 - HKCU\..\Run: [Yahoo Messengger] D:\WINDOWS\system32\scvhost.exe O4 - HKCU\..\Run: [reader_s] D:\Documents and Settings\Mohi\reader_s.exe O4 - HKCU\..\Run: [servises] D:\WINDOWS\system32\servises.exe O4 - HKLM\..\Policies\Explorer\Run: [servises] D:\WINDOWS\system32\servises.exe O4 - HKCU\..\Policies\Explorer\Run: [servises] D:\WINDOWS\system32\servises.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [reader_s] D:\Documents and Settings\Mohi\reader_s.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [servises] D:\WINDOWS\system32\servises.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [reader_s] D:\Documents and Settings\Mohi\reader_s.exe (User 'Default user') O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [servises] D:\WINDOWS\system32\servises.exe (User 'Default user') O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - D:\Program Files\Paltalk Messenger\Paltalk.exe O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - D:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - D:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: nhhneegu - D:\WINDOWS\SYSTEM32\qrbfjbx.dll O23 - Service: Google Software Updater (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - D:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe -- End of file - 5218 bytes |
|
#2
29th Aug 2009, 12:32
|
|||
|
|||
|
Quote:
Many of the major antivirus vendors have Virut removal tools but many times Virut not repairable. The only reliable way to remove Virut is removing the system files it has infected and in turn crippling the system and calling for a reformat/reinstall anyway. Remember it is always spreading so trying to contain it is impossible. See this article on why it is so destructive. Under the Hood: Virut If you do try to repair this without reformatting then your best chance is using the Avira AntiVir Rescue CD. (free) And/or the Dr Web LiveCD. (also free) Backing up files before formatting If you backup any files they should be scanned from a clean properly protected PC before restoring. Also be careful what scanner is used as some are very poor at detecting and even worse at protecting from this infection. In fact due to the nature of these new infections there are probably no tools that will properly protect you from the infection. Be very selective and only backup files you can not replace like text documents and personal photos. Do not back up to another machine! It will likely become infected by Virut. Burn to DVD/CD, a flash drive or to an external drive which has nothing else on it and which you can format should it become infected from the backups. I suggest running at least 3 of the below scanners on the backup files. Run the first scan then reboot before running the second then reboot after the second before running the third. -) Dr.Web CureIt! -) AVG Win32/Virut Removal Tool -) Symantwc W32.Virut Removal Tool -) McAfee Avert Stinger -) Microsoft Windows Malicious Software Removal Tool If you do not know how to perform a fresh install, use this website -> http://www.windowsreinstall.com/ Very important, do the following immediately or as soon as possible! If you have done any online transactions, call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts and/or change all of your account numbers. From a clean computer change all of your online passwords including for email, banks, financial accounts, PayPal, eBay, online credit card companies and any online forums or groups you belong to etc. DO NOT change passwords or do any transactions while using the infected computer. The attacker will get the new passwords and transaction information.
__________________
 |
