You are here:
- Home
- Computing/Technology
- Internet/Network Security
- Computer Security & Viruses
- hijack this log analysis
Computer Security & Viruses/hijack this log analysis
Advertisement
Question
here is my hijack this log file
---------log file-------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:27:41 PM, on 3/11/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
d:\program files\mcafee.com\agent\mcdetect.exe
d:\PROGRA~1\mcafee.com\vso\mcshield.exe
d:\PROGRA~1\mcafee.com\agent\mctskshd.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINDOWS\Explorer.exe
D:\WINDOWS\System32\RunDll32.exe
D:\WINDOWS\System32\VTTimer.exe
D:\Program Files\McAfee.com\VSO\mcvsshld.exe
D:\Program Files\McAfee.com\VSO\oasclnt.exe
D:\PROGRA~1\mcafee.com\agent\mcagent.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\Rundll32.exe
D:\Program Files\McAfee.com\VSO\mcvsshld .exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\McAfee.com\VSO\oasclnt .exe
F:\Program Files\Customizer XP\RAMIdle.exe
D:\PROGRA~1\mcafee.com\agent\mcagent .exe
d:\progra~1\mcafee.com\vso\mcvsescn.exe
D:\WINDOWS\System32\ctfmon .exe
D:\Program Files\Internet Download Manager\IEMonitor.exe
D:\WINDOWS\System32\wuauclt.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\McAfee.com\VSO\mcmnhdlr.exe
D:\Program Files\McAfee.com\VSO\mcmnhdlr .exe
D:\WINDOWS\System32\dllhost.exe
D:\WINDOWS\System32\rundll32.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe SSVICHOSST.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - d:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - D:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [McRegWiz] D:\PROGRA~1\mcafee.com\agent\MC9C99~3.EXE /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "D:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] D:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] D:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] d:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] d:\PROGRA~1\mcafee.com\agent\MCUPDA~1.EXE
O4 - HKLM\..\Run: [Demo] C:\demo.exe
O4 - HKLM\..\Run: [321c14a8] rundll32.exe "D:\WINDOWS\System32\vinauuvn.dll",b
O4 - HKLM\..\Run: [KEI] D:\WINDOWS\System32\rundll32.exe "D:\Documents and Settings\All Users\Application Data\KEI\KEI.dll" KEI
O4 - HKLM\..\Run: [runner1] D:\WINDOWS\mrofinu691.exe 61A847B5BBF728143B9A284503996897C881250221C8670836AC4FA7C88332017491394661A64DB7C8F7287E55E246220D9E728F80D6664366DB7D507BF80FB68AD6
O4 - HKLM\..\Run: [BMab21490e] Rundll32.exe "D:\WINDOWS\System32\vnednoxr.dll",s
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [IDMan] D:\Program Files\Internet Download Manager\IDMan .exe /onboot
O4 - HKUS\S-1-5-18\..\Run: [Yahoo Messengger] D:\WINDOWS\System32\SSVICHOSST.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Yahoo Messengger] D:\WINDOWS\System32\SSVICHOSST.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMIdle.lnk = F:\Program Files\Customizer XP\RAMIdle.exe
O8 - Extra context menu item: Download all links with IDM - D:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - D:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - D:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - d:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - d:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - d:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - D:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
--
End of file - 5372 bytes
Hello Suyash
I'll be glad to help you out here. You are running XP without any Service Packs or Security Patches installed. This has led to a number of infections on your machine. After cleaning the malware, I strongly suggest running Windows Update to fully secure your PC. Please follow the steps below to begin the cleanup:
Turn off System Restore
1. Click Start, right-click My Computer, and then click Properties.
2. In the System Properties dialog box, click the System Restore tab.
3. Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.
4. Click OK.
5. When you receive the following message, click Yes to confirm that you want to turn off System Restore:
You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer.
Do you want to turn off System Restore?
After a few moments, the System Properties dialog box closes.
Then, download ComboFix here:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Save it to your desktop.
Double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. You should now press the number 2 key to clean and then press the enter key to continue. ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the program report will be located at C:\ComboFix.txt. It will then display the log file automatically for you.
Next, download Dr.Web Cureit from here:
ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe
* Doubleclick the drweb-cureit.exe file and Allow to run the express scan
* This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
* Once the short scan has finished, mark the drives that you want to scan.
* Select all drives. A red dot shows which drives have been chosen.
* Click the green arrow at the right, and the scan will start.
* Click 'Yes to all' if it asks if you want to cure/move the file.
* When the scan has finished, look if you can click next icon next to the files found:
* If so, click it and then click the next icon right below and select Move incurable.
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured.
* After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
* Save the report to your desktop. The report will be called DrWeb.csv
* Close Dr.Web Cureit.
* Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, send me the contents of the log from Dr.Web, along with the ComboFix log and a fresh HJT log.
Brian
Related Articles
- Expand (Recovery Console) - Expand Command Details
- Windows File Associations
- Mac OS X vs. Windows XP File System Performance
- Restore NTLDR Ntdetect.com - How To Restore NTLDR and Ntdetect.com From the Windows XP CD - NTLDR Ntdetect.com
- System Restore Windows 7 - How To Use System Restore to Undo System Changes in Windows 7
Computer Security & Viruses
Answers by Expert:
Brian Benosky
Expertise
I will help you in eradicating malware and all forms of virus/trojans/adware. I can answer all PC-related hardware issues. I can also troubleshoot Windows OS errors (all versions) and other software problems. HijackThis logs are a MUST for virus related help. If you do not know how to do this, I have posted easy-to-follow instructions on the Ask a Question page. Every computer infection is different, so I will give you personal instructions on how to remove the malware, not a 'pat' answer. You can be assured of a prompt, polite, and knowledgeable response in all regards.
Experience
I have over 25 years experience in using, building, and repairing computers. I have helped over two thousand people here on AllExperts, with consistent Top Feedback Scores. Please look at my answers here:
http://en.allexperts.com/q/Computer-Security-Viruses-1737/indexExp_84308.htm
I am also a Top Contributor of General Computing answers in Yahoo! Questions.
Education/Credentials
College Educated
Self-taught Computer Skills
©2012 About.com, a part of The New York Times Company. All rights reserved.