Forum Home
Press F1
 
Thread ID: 93172 2008-09-06 06:46:00 hijack this log. any help please?? tingle (6539) Press F1
Post ID Timestamp Content User
702924 2008-09-06 06:46:00 hey guys,

At a friends place . Win XP PC .
i have run Malwarebytes' Anti-Malware and it found a few hundred nasties which it fixed . Nod32 on startup still says -

Win32/TrojanDownloader . FakeAlert . IQ trojan

Event occurred on a new file created by the application: C:\Documents and Settings\All Users\Application Data\gngtqhsl\alqngnkt . exe . The file was moved to quarantine . You may close this window .

I can't seem to get rid of this .

hijack log -

Logfile of Trend Micro HijackThis v2 . 0 . 2
Scan saved at 6:14:11 p . m . , on 6/09/2008
Platform: Windows XP SP3 (WinNT 5 . 01 . 2600)
MSIE: Internet Explorer v7 . 00 (7 . 00 . 6000 . 16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss . exe
C:\WINDOWS\system32\winlogon . exe
C:\WINDOWS\system32\services . exe
C:\WINDOWS\system32\lsass . exe
C:\WINDOWS\system32\svchost . exe
C:\WINDOWS\System32\svchost . exe
C:\WINDOWS\system32\spoolsv . exe
C:\WINDOWS\system32\userinit . exe
C:\WINDOWS\Explorer . EXE
C:\Program Files\Eset\nod32krn . exe
C:\WINDOWS\System32\svchost . exe
C:\Documents and Settings\All Users\Application Data\gngtqhsl\alqngnkt . exe
C:\Program Files\HP\hpcoretech\hpcmpmgr . exe
C:\WINDOWS\system32\RunDll32 . exe
C:\WINDOWS\system32\hkcmd . exe
C:\Program Files\Eset\nod32kui . exe
C:\WINDOWS\system32\ctfmon . exe
C:\Program Files\FinePixViewer\QuickDCF . exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr . exe
C:\WINDOWS\system32\notepad . exe
C:\Program Files\Internet Explorer\iexplore . exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy . exe
C:\Program Files\Trend Micro\HijackThis\HijackThis . exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = . xtramsn . co . nz/0SEENNZ/SAOS01?FORM=TOOLBR" target="_blank">g . xtramsn . co . nz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = . xtramsn . co . nz/0SEENNZ/SAOS01?FORM=TOOLBR" target="_blank">g . xtramsn . co . nz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www . trademe . co . nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = . microsoft . com/fwlink/?LinkId=69157" target="_blank">go . microsoft . com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = . microsoft . com/fwlink/?LinkId=54896" target="_blank">go . microsoft . com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = . microsoft . com/fwlink/?LinkId=54896" target="_blank">go . microsoft . com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = . microsoft . com/fwlink/?LinkId=69157" target="_blank">go . microsoft . com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = . xtramsn . co . nz/0SEENNZ/SAOS01?FORM=TOOLBR" target="_blank">g . xtramsn . co . nz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank . htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5 . 0\Reader\ActiveX\AcroIEHelper . ocx
O2 - BHO: WormRadar . com IESiteBlocker . NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin . dll
O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
O4 - HKLM\ . . \Run: [Synchronization Manager] %SystemRoot%\system32\mobsync . exe /logon
O4 - HKLM\ . . \Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr . exe"
O4 - HKLM\ . . \Run: [Cmaudio] RunDll32 cmicnfg . cpl,CMICtrlWnd
O4 - HKLM\ . . \Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd . exe
O4 - HKLM\ . . \Run: [nod32kui] "C:\Program Files\Eset\nod32kui . exe" /WAITSERVICE
O4 - HKLM\ . . \Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE . EXE /AUTORUN
O4 - HKLM\ . . \Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan . exe /boot
O4 - HKCU\ . . \Run: [ctfmon . exe] C:\WINDOWS\system32\ctfmon . exe
O4 - HKLM\ . . \Policies\Explorer\Run: [BvRfeREeVi] C:\Documents and Settings\All Users\Application Data\gngtqhsl\alqngnkt . exe
O4 - HKUS\S-1-5-18\ . . \Run: [CTFMON . EXE] C:\WINDOWS\System32\CTFMON . EXE (User 'SYSTEM')
O4 - HKUS\ . DEFAULT\ . . \Run: [CTFMON . EXE] C:\WINDOWS\System32\CTFMON . EXE (User 'Default user')
O4 - Global Startup: Exif Launcher . lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL . EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag . exe
O9 - Extra 'Tools' menuitem: @xpsp3res . dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag . exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs . exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs . exe
O16 - DPF: Keno by pogo - . pogo . com/v/8 . 1 . 1 . 1/applet/keno/keno-en_US . cab" target="_blank">game1 . pogo . com
O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - . bebo . com/files/BeboUploader . 5 . 1 . 4 . cab" target="_blank">www . bebo . com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - . microsoft . com/fwlink/?linkid=39204" target="_blank">go . microsoft . com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - . microsoft . com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site . cab?1119739092640" target="_blank">update . microsoft . com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - . microsoft . com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site . cab?1173071837109" target="_blank">update . microsoft . com
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - . worldwinner . com/games/shared/wwlaunch . cab" target="_blank">www . worldwinner . com
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - . zone . msn . com/binary/MessengerStatsPAClient . cab56907 . cab" target="_blank">messenger . zone . msn . com
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - . worldwinner . com/games/v47/familyfeud/familyfeud . cab" target="_blank">www . worldwinner . com
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn . exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12 . exe

--
End of file - 5802 bytes



Any help in analysing this much appreciated!
Cheers 		tingle (6539)
702925 2008-09-06 07:15:00 Uninstall mywebsearch if its in add/remove programs

Tick these then tick fix checked

Close browsers

C:\Documents and Settings\All Users\Application Data\gngtqhsl\alqngnkt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Policies\Explorer\Run: [BvRfeREeVi] C:\Documents and Settings\All Users\Application Data\gngtqhsl\alqngnkt.exe

Select all options under utilities in trojan remover as well

If alqngnkt.exe is still there after, reboot, disable system restore then delete gngtqhsl\alqngnkt.exe 		Speedy Gonzales (78)
702926 2008-09-06 08:09:00 Thanks Speedy, all good now!
You're a real asset to this place!!
Your case of bourbon is in the mail. 		tingle (6539)
702927 2008-09-06 08:11:00 Cool :banana :) Speedy Gonzales (78)
1