Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:24:24 AM, on 4/22/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\windows\System32\smss.exe C:\windows\system32\winlogon.exe C:\windows\system32\services.exe C:\windows\system32\lsass.exe C:\windows\system32\svchost.exe C:\windows\System32\svchost.exe C:\windows\Explorer.EXE C:\windows\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\windows\system32\wscntfy.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Documents and Settings\Admin\Desktop\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm R3 - URLSearchHook: (no name) - {a33fa729-d155-4b23-842b-2c665ecabdb6} - (no file) R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: (no name) - {07CB8D91-1B6D-4E57-B673-3CA2B0C0EAE1} - C:\WINDOWS\system32\mljhGYsR.dll (file missing) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {BA418DD6-1841-472A-B262-B46531266939} - C:\windows\system32\iifcAtqr.dll (file missing) O2 - BHO: (no name) - {BEEA65BE-2527-43DA-A41E-7238F9CB1C35} - (no file) O2 - BHO: (no name) - {BFA7416F-6EBA-43E5-B485-D32C6C78E1DB} - C:\WINDOWS\system32\qoMeEVmL.dll (file missing) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: (no name) - {a33fa729-d155-4b23-842b-2c665ecabdb6} - (no file) O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\RunOnce: [SpybotDeletingA1279] command /c del "C:\WINDOWS\system32\iifcAtqr.dll_old" O4 - HKLM\..\RunOnce: [SpybotDeletingC6449] cmd /c del "C:\WINDOWS\system32\iifcAtqr.dll_old" O4 - HKLM\..\RunOnce: [SpybotDeletingA446] command /c del "C:\WINDOWS\system32\iifcAtqr.dll_old" O4 - HKLM\..\RunOnce: [SpybotDeletingC7845] cmd /c del "C:\WINDOWS\system32\iifcAtqr.dll_old" O4 - HKLM\..\RunOnce: [SpybotDeletingA7784] command /c del "C:\WINDOWS\system32\iifcAtqr.dll_old" O4 - HKLM\..\RunOnce: [SpybotDeletingC5682] cmd /c del "C:\WINDOWS\system32\iifcAtqr.dll_old" O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\RunOnce: [SpybotDeletingB5678] command /c del "C:\WINDOWS\system32\iifcAtqr.dll_old" O4 - HKCU\..\RunOnce: [SpybotDeletingD4687] cmd /c del "C:\WINDOWS\system32\iifcAtqr.dll_old" O4 - HKCU\..\RunOnce: [SpybotDeletingB6721] command /c del "C:\WINDOWS\system32\iifcAtqr.dll_old" O4 - HKCU\..\RunOnce: [SpybotDeletingD5823] cmd /c del "C:\WINDOWS\system32\iifcAtqr.dll_old" O4 - HKCU\..\RunOnce: [SpybotDeletingB2200] command /c del "C:\WINDOWS\system32\iifcAtqr.dll_old" O4 - HKCU\..\RunOnce: [SpybotDeletingD9587] cmd /c del "C:\WINDOWS\system32\iifcAtqr.dll_old" O4 - HKCU\..\Policies\Explorer\Run: [Windows Printing Driver] WinSpooler.exe O4 - HKCU\..\Policies\Explorer\Run: [WinUpdating] WinUpdating.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O8 - Extra context menu item: &Search - ?p=ZN O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing) O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing) O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.com/Register/Branding/olr3313/OCX/v1018/flashax.cab O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL,C:\WINDOWS\system32\rlai.dll O20 - Winlogon Notify: qoMeEVmL - qoMeEVmL.dll (file missing) O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe -- End of file - 6229 bytes
Notes: This log is posted for a course lab, on troubleshooting a infected PC, So we dont need a detailed instruction on how to remove all virus's. It was purposely infected, and will most likely be reimmaged, therefore if dont waste precious time deciforing this evil log, but a demonstration to how you would normally advise users to fix problems, would be greatly appreciated.