Few weeks back my home laptop (Win XP) got infected with a virus because I did the unthinkable. Clicked on an exe file which apparently had not come from a trusted source. It was an immediate reaction to double-click it and before I could stop it the damage was done!
Because of the error messages I was getting then, I remember (this was 6 weeks back) trying to get some info and some suggesting that it was VIRUT which people said would not go even if you format your HDD and the only way out is to get a new HDD. I am hoping that things can be better!
I was not able to get into it for the past few days but am now determined to see if I can find a way to resolve the issue. Key "symptoms":
- Unable to work in the regular boot mode. I get an error message which says something to the effect " Your system will shutdown in 60 seconds. And then it refers to a file at c:\windows\system32\services.exe and includes some error code which I am not able to note as the system shuts down.
- Can only work in the safe mode
- When I had earlier tried to work in the regular mode, several .exe files used to get generated. I am sorry I am not able to explain what all I did then as it is some time back but am now willing to go ahead as instructed to get to the bottom of this.
For starters, I am posting here my HijackThis log. On the date stamp : my laptop's battery failed recently (unrelated) and so it shows an old date as it has lost its system time.
Log pasted below. Thanks!!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:57:56 AM, on 12/16/2003
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\3361\services.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://stat.winrar2009.cn:88/ic.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe rundll32.exe calc.ifo beforemain
F3 - REG:win.ini: load=C:\WINDOWS\system32\mscbjx.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\msokqy.exe
O2 - BHO: (no name) - {05367F41-96DA-4EBE-94BC-B9883741BFE8} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: (no name) - {C2141CDF-1EEE-4884-B1B8-227D88617F19} - (no file)
O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [12CFG515-K641-55SF-N66P] C:\RECYCLER\S-1-5-21-0243636035-3055115376-381863306-1556\pqlmq.exe
O4 - HKCU\..\Run: [kell] c:\program Files\Manson\liser.exe
O4 - HKCU\..\Run: [Administrator] C:\Documents and Settings\Administrator\Administrator.exe /i
O4 - HKLM\..\Policies\Explorer\Run: [exec] C:\WINDOWS\system32\msjjxln.exe
O4 - HKUS\S-1-5-18\..\Run: [kell] C:\Program Files\Manson\liser.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Administrator] C:\Documents and Settings\Administrator\Administrator.exe /i (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [kell] C:\Program Files\Manson\liser.exe (User 'Default user')
O4 - Startup: fmnupd32.exe
O4 - Startup: zqosys32.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activatemydsl...ads/tgctlcm.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1208022049440
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: c:\progra~1\Manson\liser.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O20 - Winlogon Notify: dffaaafbbacdae - C:\WINDOWS\system32\dffaaafbbacdae.dll
O20 - Winlogon Notify: ehfctvdm - fibytox.dll (file missing)
O20 - Winlogon Notify: vvascahb - C:\WINDOWS\SYSTEM32\vvascahb.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\Prevx\prevx.exe
O23 - Service: Dhcp server (DhcpSrv) - Unknown owner - C:\WINDOWS\DLL\RUNDLL32.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: jmnhhgrtja35ujghuykj6r8io9iujg80 - Unknown owner - C:\WINDOWS\jmnhhgrtja35ujghuykj6r8io9iujg81.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SupportSoft Sprocket Service (nxpclient) (sprtsvc_nxpclient) - SupportSoft, Inc. - C:\Program Files\Airtel\NetXpert\bin\sprtsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\SupportSoft\bin\ssrc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\
O23 - Service: xdfhs3we5sejahag2hzdehwgasfq80 - Unknown owner - C:\WINDOWS\xdfhs3we5sejahag2hzdehwgasfq81.exe
O23 - Service: zgtkg3jrsyzdb6wtgw3rh3wahhrjkae80 - Unknown owner - C:\WINDOWS\zgtkg3jrsyzdb6wtgw3rh3wahhrjkae81.exe
--
End of file - 7353 bytes