Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Stealth Hjack log


  • Please log in to reply

#1
emydobos

emydobos

    New Member

  • Member
  • Pip
  • 1 posts
Hi, today my folks entered some travel site and suddenly this big x appeared on the bar telling me my pc is infected with this hjack virus. I read some topics, and made this log. Please help.



Logfile of HijackThis v1.99.1
Scan saved at 8:24:12 PM, on 7/2/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
D:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
D:\WINDOWS\Mixer.exe
D:\Program Files\WinFast\WFTVFM\WFWIZ.exe
D:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
D:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
D:\WINDOWS\System32\MMTray.exe
D:\WINDOWS\System32\MMTray2k.exe
D:\WINDOWS\System32\MMTrayLSI.exe
D:\Program Files\D-Tools\daemon.exe
D:\Program Files\Softwin\BitDefender Free Edition\bdmcon.exe
D:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
D:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
D:\WINDOWS\System32\RUNDLL32.EXE
D:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\kituri\Emule\emule.exe
D:\Program Files\Nokia\PC Suite for Nokia 6600\connmngmntbox.exe
D:\Program Files\Nokia\PC Suite for Nokia 6600\ectaskscheduler.exe
D:\Program Files\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
D:\PROGRA~1\Nokia\PCSUIT~1\Elogerr.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\PROGRA~1\Nokia\PCSUIT~1\BROADC~1.EXE
D:\PROGRA~1\Nokia\PCSUIT~1\SCRFS.exe
D:\Program Files\Yahoo!\Messenger\ypager.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Documents and Settings\Emy\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.specialgo...info/ad/ad0411/
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WinFast Schedule] D:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iKeyWorks] D:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [WheelMouse] D:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [MMTray] MMTray.exe
O4 - HKLM\..\Run: [MMTray2K] MMTray2k.exe
O4 - HKLM\..\Run: [MMTrayLSI] MMTrayLSI.exe
O4 - HKLM\..\Run: [NetLimiter] D:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [nulknsd] D:\WINDOWS\nulknsd.exe
O4 - HKLM\..\Run: [BDMCon] D:\Program Files\Softwin\BitDefender Free Edition\\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] D:\Program Files\Softwin\BitDefender Free Edition\\bdnagent.exe
O4 - HKLM\..\Run: [DataLayer] D:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Systems] D:\WINDOWS\System32\itDDD.exe
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [eMuleAutoStart] C:\kituri\Emule\emule.exe -AutoStart
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PCSuiteForNokia6600 Detect.lnk = ?
O4 - Global Startup: PCSuiteForNokia6600 TS.lnk = ?
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward &Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117276108566
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6148E5F8-623D-49C7-B40B-18C97221BB54}: NameServer = 81.180.254.158 81.180.254.157
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - D:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Leadtek Driver Helper Service (nvsvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Power Manager (PowerManager) - Unknown owner - D:\WINDOWS\svchost.exe (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - D:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
  • 0

Advertisements


#2
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Howdy emydobos and Welcome to GeekstoGo!!

I need to ask you for a sample of a few files please!

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders,this must be done after restarting in Safe Mode!!

Here is a link to help with that
http://www.bleepingc...showtutorial=62

Be sure to follow the directions that apply to your Operating System!

Right Click the Desktop and Select Compressed(zipped)Folder!

Click Start>> Run>> Type in services.msc and click OK!

Scroll that list and locate this entry

PowerManager

Now,Click Stop and go to Startup Type and Click Disabled!

Now locate these files

D:\WINDOWS\svchost.exe<< That must be in that location only!!

D:\WINDOWS\nulknsd.exe<< That must be in that location only!!

D:\WINDOWS\System32\itDDD.exe<< That must be in that location only!!

Place a copy of each of those in the New Zip Folder,now before you close the folder,go up and click File>> Add a Password

Make the Password "infected"<< All Lower Case letters please!

Restart Normal

Email those files here>> filesubmit@charter.net

Have each of those files scanned at these 2 sites

http://www.virustota...h/index_en.html

and

http://virusscan.jotti.org/

If they scan infected,please upload them to this site with a link to our post!

http://www.thespykiller.co.uk/forum/

Now have the PC Scanned here but dont let it repair anything just yet!
http://security.syma...IMXQKCDTOSKVYRM

Click Virus Detection and Save any results you get!

We need to know for sure what we have here!

Please Dont Use this PC and Turn it off completely if you have another way to access the Internet!

Disconnect it from any Networks and let it be if possible!

Post back with a Confirmation that the files were mailed and or uploaded and the Results of the Scan!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP