“If your system is running slow or crashes frequently or behaving weird then your systeam is infected with a virus/worm or a Trojan.Don’t panic we are here to help you, just follow the below steps”
Step 1: Download HijackThis (392 kb) and scan your system with it.
Step 2: HijackThis will generate a log file, copy the content of it and post it here as comment.
Step 3: Wait for our security team to respond with a solution to your problem.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:52:21 AM, on 7/24/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Opera\opera.exe
C:\DOCUME~1\AKASH~2.ILL\LOCALS~1\Temp\winsemtfc.exe
C:\DOCUME~1\AKASH~2.ILL\LOCALS~1\Temp\winvulxa.exe
C:\DOCUME~1\AKASH~2.ILL\LOCALS~1\Temp\wincbixn.exe
C:\Documents and Settings\Akash.ILLUSION-4015A9\Local Settings\Application Data\Opera\Opera\profile\cache4\temporary_download\HiJackThis.exe
O4 – HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 – HKLM\..\Run: [VTTimer] VTTimer.exe
O9 – Extra button: Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O9 – Extra ‘Tools’ menuitem: Windows Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
–
End of file – 1335 bytes
Unwanted/Suspicious Program:
C:\DOCUME~1\AKASH~2.ILL\LOCALS~1\Temp\winsemtfc.exe
C:\DOCUME~1\AKASH~2.ILL\LOCALS~1\Temp\winvulxa.exe
C:\DOCUME~1\AKASH~2.ILL\LOCALS~1\Temp\wincbixn.exe
Delete or Analyse them immediately !
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:57:27 PM, on 8/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe
C:\Program Files\Reliance Netconnect\Reliance Netconnect.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\HiJackThis.exe
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 – BHO: AcroIEHelperStub – {18DF081C-E8AD-4283-A596-FA578C2EBDC3} – C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 – BHO: Symantec Intrusion Prevention – {6D53EC84-6AAE-4787-AEEE-F4628F01010C} – C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 – BHO: Google Toolbar Helper – {AA58ED58-01DD-4d91-8333-CF10577473F7} – c:\program files\google\googletoolbar1.dll
O2 – BHO: Google Toolbar Notifier BHO – {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} – C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 – Toolbar: &Google – {2318C2B1-4965-11d4-9B18-009027A5CD4F} – c:\program files\google\googletoolbar1.dll
O4 – HKLM\..\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe”
O4 – HKLM\..\Run: [osCheck] “C:\Program Files\Norton AntiVirus\osCheck.exe”
O4 – HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 – HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 – HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 – HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 – HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 – HKLM\..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe”
O4 – HKCU\..\Run: [RegCom32] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\critical_updates.exe
O4 – HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 – HKCU\..\Run: [Google Update] “C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe” /c
O4 – HKCU\..\Run: [Messenger (Yahoo!)] “C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe” -quiet
O4 – HKCU\..\Run: [SRS Audio Sandbox] “C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe” /hideme
O8 – Extra context menu item: Add to Google Photos Screensa&ver – res://C:\WINDOWS\system32\GPhotos.scr/200
O8 – Extra context menu item: E&xport to Microsoft Excel – res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 – Extra button: Research – {92780B25-18CC-41C8-B9BE-3C9C571A8263} – C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 – Extra button: (no name) – {e2e2dd38-d088-4134-82b7-f2ba38496583} – C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 – Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 – {e2e2dd38-d088-4134-82b7-f2ba38496583} – C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 – Extra button: Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O9 – Extra ‘Tools’ menuitem: Windows Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O17 – HKLM\System\CCS\Services\Tcpip\..\{82CDE846-963D-4AD9-B2DE-1C9D4254F25F}: NameServer = 202.138.97.193 202.138.96.2
O17 – HKLM\System\CS1\Services\Tcpip\..\{82CDE846-963D-4AD9-B2DE-1C9D4254F25F}: NameServer = 202.138.97.193 202.138.96.2
O23 – Service: Symantec Event Manager (ccEvtMgr) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 – Service: Symantec Settings Manager (ccSetMgr) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 – Service: Symantec Lic NetConnect service (CLTNetCnService) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 – Service: Google Updater Service (gusvc) – Google – C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 – Service: LiveUpdate Notice – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 – Service: Symantec Core LC – Unknown owner – C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
–
End of file – 5530 bytes
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:29:50 PM, on 10/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\PV92Tray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\My Softwares\HiJackThis.exe
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bsnl.co.in
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 – BHO: AcroIEHelperStub – {18DF081C-E8AD-4283-A596-FA578C2EBDC3} – C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (file missing)
O2 – BHO: RealPlayer Download and Record Plugin for Internet Explorer – {3049C3E9-B461-4BC5-8870-4C09146192CA} – C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 – BHO: WormRadar.com IESiteBlocker.NavFilter – {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} – C:\Program Files\AVG\AVG8\avgssie.dll
O2 – BHO: Java(tm) Plug-In 2 SSV Helper – {DBC80044-A445-435b-BC74-9C25C1C588A9} – C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 – BHO: JQSIEStartDetectorImpl – {E7E6F031-17CE-4C07-BC86-EABFE594F69C} – C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 – HKLM\..\Run: [IMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 – HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 – HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 – HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 – HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 – HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 – HKLM\..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe”
O4 – HKLM\..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 – HKLM\..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre6\bin\jusched.exe”
O4 – HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 – HKLM\..\Run: [PV92TRAY] PV92Tray.exe
O4 – HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 – HKCU\..\Run: [Google Update] “C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe” /c
O4 – HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User ‘SYSTEM’)
O4 – HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User ‘Default user’)
O7 – HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 – Extra context menu item: E&xport to Microsoft Excel – res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 – Extra button: Research – {92780B25-18CC-41C8-B9BE-3C9C571A8263} – C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 – Extra button: (no name) – {e2e2dd38-d088-4134-82b7-f2ba38496583} – C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 – Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 – {e2e2dd38-d088-4134-82b7-f2ba38496583} – C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 – Extra button: Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O9 – Extra ‘Tools’ menuitem: Windows Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O16 – DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) – http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 – HKLM\System\CCS\Services\Tcpip\..\{EA23AD24-4F56-4049-971B-3EDB769AEBDA}: NameServer = 218.248.240.180 218.248.240.181
O18 – Protocol: linkscanner – {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} – C:\Program Files\AVG\AVG8\avgpp.dll
O20 – Winlogon Notify: avgrsstarter – C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 – Service: AVG Free8 E-mail Scanner (avg8emc) – AVG Technologies CZ, s.r.o. – C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 – Service: AVG Free8 WatchDog (avg8wd) – AVG Technologies CZ, s.r.o. – C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 – Service: Java Quick Starter (JavaQuickStarterService) – Sun Microsystems, Inc. – C:\Program Files\Java\jre6\bin\jqs.exe
–
End of file – 5396 bytes
These are valid program, but it is up to you whether or not you want it to run on startup.These programs is not required to start automatically as you can run it when you need to. It is advised that you disable this program so that it does not take up necessary resources.
O4 – HKLM\..\Run: [IMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 – HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 – HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 – HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 – HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 – HKLM\..\Run: [PV92TRAY] PV92Tray.exe
-Archana S K (Security Advisor)
Hii ask i’m pratap ur orkut buddy..
my got infected with virus i couldn’t remove the virus even with autorun eater my pendrive contains autorun file.. i doesn’t allow me to format the pendrive.. though i formating in safe mode .. autorun file comes again and again
the file content is…
open=SEKACHK///spinter.exe
%fsafwlgkjdgkeOêôàê×ÔÀÊÔ×ÊÔåìê÷ô÷îå
icon=%SystemRoot%\system32\SHELL32.dll,4
^äàñôëêåÔ×ËÅêŒÔêœåÔÊËÏØÅÔkl?fASLFWD?F?w?dQdwq
action=Open folder to view files using Windows Explorer
*fasfl?P?GFLOP?Geglep?GKF?ASfa
Shell\open\command=SEKACHK///spinter.exe
!fsafW??LFP??ELFäÀÇÝÆÛÔÄÀÇÕÖÄÀÝÓÀÄÙÇÕàóàôûàôöóàó
shell\open\command=SEKACHK///spinter.exe
#âàûôàäïÝÆÓÄÏÀÇÓÀÄÞÔÛÝÆÄÀÖÇÕÀÊäóÝÏæïäàâýæäàýûæÀÄôûýàäçõöéà
USEAUTOPLAY=1
@âôûâöäçàÄÓÝÄïýäýïäçõóêàÇÝÆÔÛÄÀÇÄÀÝÓÀlweusfslaflnfkjdfnLEfjWEfkAE
—-
plzzz ask provide me a solution my pendrive is of 4GB i bought it for 2000/- plzzzz reply to mee ramagiripratap@gmail.com
Hii ask i’m pratap ur orkut buddy..
my got infrected i couldn’t remove the virus even with autorun virus my pendrive contains autorun file.. i doesn’t allow me to format the pendrive.. though i formating in safe mode .. autorun file comes again and again
the file content is…
open=SEKACHK///spinter.exe
%fsafwlgkjdgkeOêôàê×ÔÀÊÔ×ÊÔåìê÷ô÷îå
icon=%SystemRoot%\system32\SHELL32.dll,4
^äàñôëêåÔ×ËÅêŒÔêœåÔÊËÏØÅÔkl?fASLFWD?F?w?dQdwq
action=Open folder to view files using Windows Explorer
*fasfl?P?GFLOP?Geglep?GKF?ASfa
Shell\open\command=SEKACHK///spinter.exe
!fsafW??LFP??ELFäÀÇÝÆÛÔÄÀÇÕÖÄÀÝÓÀÄÙÇÕàóàôûàôöóàó
shell\open\command=SEKACHK///spinter.exe
#âàûôàäïÝÆÓÄÏÀÇÓÀÄÞÔÛÝÆÄÀÖÇÕÀÊäóÝÏæïäàâýæäàýûæÀÄôûýàäçõöéà
USEAUTOPLAY=1
@âôûâöäçàÄÓÝÄïýäýïäçõóêàÇÝÆÔÛÄÀÇÄÀÝÓÀlweusfslaflnfkjdfnLEfjWEfkAE
—-
plzzz ask provide the solution my pendrive is of 4GB i bought it for 2000/- plzzzz reply to mee ramagiripratap@gmail.com
I need a hijackthis log file,post it here,to know how to do it follow the steps mentioned in the above post.
I must convey my appreciation for your kind-heartedness giving support to men and women who must have assistance with that issue. Your personal dedication to getting the message across turned out to be particularly practical and have all the time empowered workers like me to reach their goals. The valuable recommendations signifies much a person like me and still more to my colleagues. With thanks; from all of us.
Thank you for a very interesting blog. What else could I get that kind of info written in such a perfect means? I have a project that I’m simply now working on, and I’ve been on the look out for such info.