| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 79146 | 2007-05-09 13:44:00 | Help with Hijackthis log and general virus diaster | Mantis (3703) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 548664 | 2007-05-09 13:44:00 | After I suspected my PC had become infected with some sort of a virus or spyware (Browser Crashes, Spybot - AVG & Adaware all compromised) I formated c:\ and did a fresh install of windows today . After spending the whole day reinstalling my system and software, my Spybot and Adaware have both become compromised again . AVG finds nothing so I tried a couple of other programs (Trojan Remover) which found nothing also . . . I first noticed the system compromised again after trying to restore a oldish back up of my thunderbird profile, I'm not sure if this is what reineffected my system or something else???? I have ran HIJACKTHIS and there are a couple of suspiscious entries in the log posted below . Could anyone please help with advice on what to remove using HIJACKTHIS . Thanks very much . M . Logfile of Trend Micro HijackThis v2 . 0 . 0 (BETA) Scan saved at 12:32:16 a . m . , on 10/05/2007 Platform: Windows XP SP2 (WinNT 5 . 01 . 2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss . exe C:\WINDOWS\system32\winlogon . exe C:\WINDOWS\system32\services . exe C:\WINDOWS\system32\lsass . exe C:\WINDOWS\system32\svchost . exe C:\WINDOWS\System32\svchost . exe C:\Program Files\Ahead\InCD\InCDsrv . exe C:\WINDOWS\Explorer . EXE C:\WINDOWS\system32\spoolsv . exe C:\WINDOWS\SOUNDMAN . EXE C:\WINDOWS\system32\RUNDLL32 . EXE C:\PROGRA~1\Grisoft\AVG7\avgcc . exe C:\Program Files\Comodo\Firewall\CPF . exe C:\Program Files\Ahead\InCD\InCD . exe C:\Program Files\CyberLink\PowerDVD\PDVDServ . exe C:\Program Files\iTunes\iTunesHelper . exe C:\WINDOWS\system32\ctfmon . exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr . exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc . exe C:\PROGRA~1\Grisoft\AVG7\avgemc . exe C:\Program Files\Comodo\Firewall\cmdagent . exe C:\WINDOWS\system32\nvsvc32 . exe C:\Program Files\iPod\bin\iPodService . exe C:\Program Files\Mozilla Firefox\firefox . exe C:\Documents and Settings\home\Desktop\HiJackThis_v2 . exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = . microsoft . com/fwlink/?LinkId=69157" target="_blank">go . microsoft . com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = . microsoft . com/fwlink/?LinkId=54896" target="_blank">go . microsoft . com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = . microsoft . com/fwlink/?LinkId=54896" target="_blank">go . microsoft . com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = . microsoft . com/fwlink/?LinkId=69157" target="_blank">go . microsoft . com O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper . dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper . dll O4 - HKLM\ . . \Run: [IMJPMIG8 . 1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG . EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\ . . \Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP . EXE /SYNC O4 - HKLM\ . . \Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP . EXE /IMEName O4 - HKLM\ . . \Run: [SoundMan] SOUNDMAN . EXE O4 - HKLM\ . . \Run: [NvCplDaemon] RUNDLL32 . EXE C:\WINDOWS\system32\NvCpl . dll,NvStartup O4 - HKLM\ . . \Run: [nwiz] nwiz . exe /install O4 - HKLM\ . . \Run: [NvMediaCenter] RUNDLL32 . EXE C:\WINDOWS\system32\NvMcTray . dll,NvTaskbarInit O4 - HKLM\ . . \Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc . exe /STARTUP O4 - HKLM\ . . \Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF . exe" /background O4 - HKLM\ . . \Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck . exe O4 - HKLM\ . . \Run: [InCD] C:\Program Files\Ahead\InCD\InCD . exe O4 - HKLM\ . . \Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ . exe" O4 - HKLM\ . . \Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask . exe" -atboottime O4 - HKLM\ . . \Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper . exe" O4 - HKLM\ . . \Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan . exe O4 - HKCU\ . . \Run: [CTFMON . EXE] C:\WINDOWS\system32\ctfmon . exe O4 - HKUS\S-1-5-19\ . . \Run: [CTFMON . EXE] C:\WINDOWS\system32\CTFMON . EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\ . . \Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw . exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\ . . \Run: [CTFMON . EXE] C:\WINDOWS\system32\CTFMON . EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\ . . \Run: [CTFMON . EXE] C:\WINDOWS\system32\CTFMON . EXE (User 'SYSTEM') O4 - HKUS\ . DEFAULT\ . . \Run: [CTFMON . EXE] C:\WINDOWS\system32\CTFMON . EXE (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch . lnk = C:\Program Files\Adobe\Reader 8 . 0\Reader\reader_sl . exe O4 - Global Startup: Adobe Reader Synchronizer . lnk = C:\Program Files\Adobe\Reader 8 . 0\Reader\AdobeCollabSync . exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag . exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res . dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag . exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs . exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs . exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - . microsoft . com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site . cab?1178667723012" target="_blank">update . microsoft . com O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui . dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui . dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s . r . o . - C:\PROGRA~1\Grisoft\AVG7\avgamsvr . exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s . r . o . - C:\PROGRA~1\Grisoft\AVG7\avgupsvc . exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s . r . o . - C:\PROGRA~1\Grisoft\AVG7\avgemc . exe O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent . exe O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv . exe O23 - Service: iPod Service - Apple Inc . - C:\Program Files\iPod\bin\iPodService . exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32 . exe -- End of file - |
Mantis (3703) | ||
| 548665 | 2007-05-09 13:55:00 | a glance thru that logfile shows nothign suspect at all and I checked in with an online logfile analyzer and it said all good also have you considered running a harddrive diagnostic ? and a ram diagnostic |
drcspy (146) | ||
| 548666 | 2007-05-09 13:58:00 | a glance thru that logfile shows nothign suspect at all and I checked in with an online logfile analyzer and it said all good also have you considered running a harddrive diagnostic ? and a ram diagnostic Hmmmmm I'm totally new to running Hijackthis but from what I could find these entries seemed a little suspect: O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) But like I said I'm completely new to this.... Could you recommend a good ram and hd diagnostic program? Thanks for the help! |
Mantis (3703) | ||
| 548667 | 2007-05-09 14:04:00 | xpnetdiag.exe is a network diagnostic tool. No idea as to why the files are missing though? | Faded_Mantis (79) | ||
| 548668 | 2007-05-09 14:17:00 | well if they're missing then I woulnd't be too concerned......the online diagnostic showed no concern......... ram tester I personally like is 'windiag' from microsoft hdd tester.....well that partially depends on the make......check out your manufacturers site for free diagnostic tools....they all have em |
drcspy (146) | ||
| 548669 | 2007-05-09 14:29:00 | Yup that Network Diagnostics is part of IE 7. The log looks clean to me. But u can tick these entries and tick fix checked. Close browsers first. And put HJT in its own folder before u run it again. O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe - Or disable this in trojan remover |
Speedy Gonzales (78) | ||
| 548670 | 2007-05-09 14:40:00 | What are these three by the way as I have them in my startup as well: O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit |
beeswax34 (63) | ||
| 548671 | 2007-05-09 14:54:00 | Thanks heaps for all the help, I'm currently running memdiag on the machine (posting this from another) and it's failing miserably . It may take me a while to understand the results and which memory component is failing . I hope it's a piece of ram and nothing to do with the motherboard or anything else . Here's to thinking I had a virus and spending the whole day reformat/reinstalling my system :rolleyes: Thanks again for the help at 1 . 30am-ish , super appreciated! M . |
Mantis (3703) | ||
| 548672 | 2007-05-09 14:57:00 | What are these three by the way as I have them in my startup as well: O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit Theyre the videocard driver entries. |
Speedy Gonzales (78) | ||
| 548673 | 2007-05-09 15:25:00 | After running MemDiag from a bootcd the results showed that the memory failed every test. I have two sticks of 512 ddr sdram but the program could not tell me which module was failing. Is there anyway to tell via windows or will I have to open the box take each one out and then test individually? Thanks for any suggestions. M. |
Mantis (3703) | ||
| 1 2 | |||||