My Hijack This Log

Logfile of Trend Micro HijackThis v2.0.2


Scan saved at 12:10:11 AM, on 2/18/2008


Platform: Windows XP SP2 (WinNT 5.01.2600)


MSIE: Internet Explorer v7.00 (7.00.6000.16608)


Boot mode: Normal


Running processes:


C:\WINDOWS\System32\smss.exe


C:\WINDOWS\system32\winlogon.exe


C:\WINDOWS\system32\services.exe


C:\WINDOWS\system32\lsass.exe


C:\WINDOWS\system32\svchost.exe


C:\WINDOWS\System32\svchost.exe


C:\WINDOWS\system32\ZoneLabs\vsmon.exe


C:\WINDOWS\system32\spoolsv.exe


C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe


C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe


C:\WINDOWS\Explorer.EXE


C:\WINDOWS\system32\VTTimer.exe


C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe


C:\Program Files\iTunes\iTunesHelper.exe


C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe


C:\WINDOWS\AGRSMMSG.exe


C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe


C:\Program Files\iPod\bin\iPodService.exe


C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe


C:\Program Files\Windows Live\Messenger\msnmsgr.exe


C:\Program Files\Windows Live\Messenger\usnsvc.exe


C:\Program Files\Mozilla Firefox\firefox.exe


C:\Program Files\LimeWire\LimeWire.exe


C:\Program Files\iTunes\iTunes.exe


C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe


C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe


C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896


R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157


F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\rundll16.exe C:\WINDOWS\system32\c_10083.nls


O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)


O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll


O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll


O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll


O4 - HKLM\..\Run: [VTTimer] VTTimer.exe


O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"


O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe


O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime


O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"


O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"


O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"


O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe


O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"


O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice


O4 - HKLM\..\Run: [NodLogin] "C:\Program Files\ESET\ESET NOD32 Antivirus\nodlogin.exe" /o


O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h


O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html


O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html


O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html


O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html


O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll


O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll


O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe


O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe


O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab


O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe


O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe


O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe


O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe


O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


--


End of file - 5897 bytes


is there anything wrong with my logfile ?

Comments

  • alexcrist
    alexcrist
    edited February 2008

    Hello Chondo,


    The only thing suspicious is:


        F2 - REG:system.ini: UserInit=C:\WINDOWS\system32 \userinit.exe,C:\WINDOWS\system32\rundll16.exe C:\WINDOWS\system32\c_1008 3.nls


    Please find the file C:\WINDOWS\system32\c_1008 3.nls, put it in a ZIP archive with the password infected and attach it to your next post.


    Also, there are signs of multiple antiviruses on your system. As far as I can see, they were removed, but some traces remain.


    Please tell me which AV you use, so that I can tell you how to completely remove the other ones. Those traces might conflict with your current installation, and you might get in trouble.


    Cris.

  • Hello Chondo,


    The only thing suspicious is:


        F2 - REG:system.ini: UserInit=C:\WINDOWS\system32 \userinit.exe,C:\WINDOWS\system32\rundll16.exe C:\WINDOWS\system32\c_1008 3.nls


    Please find the file C:\WINDOWS\system32\c_1008 3.nls, put it in a ZIP archive with the password infected and attach it to your next post.


    Also, there are signs of multiple antiviruses on your system. As far as I can see, they were removed, but some traces remain.


    Please tell me which AV you use, so that I can tell you how to completely remove the other ones. Those traces might conflict with your current installation, and you might get in trouble.


    Cris.


    Please also attach


    C:\WINDOWS\system32\rundll16.exe


    C:\WINDOWS\system32\c_1008 3.nls


    I'll be waiting for the archive

  • shafizal
    edited February 2008

    i uninstall av already im currently using esetnod32 antivirus 3.0.621.0


    eh btw there's no more "C:\WINDOWS\system32\rundll16.exe "


    the pass is virus.=)thx


    /applications/core/interface/file/attachment.php?id=1539" data-fileid="1539" rel="">hijackthis.zip

  • how do i remove traces of my last antivirus?