Solve : hjt log files?

1.	Solve : hjt log files?
Answer» Would it be possible for someone to take a look at my hijackthis log? I have no idea how to read these. My client was complaining of pop-ups and threat alerts from AVG stating that her personal information was being compromised. I rushed to her house this evening and immediately installed HijackThis and ran a scan, then saved the log. Next, I updated her AVG, and now I am running a scan. So far the scan has found 22 trojan/viruses. After the scan is complete, my plan of attack is to follow evilfantasy's step by step Guide to removing malware etc. so I can get rid of all that nasty stuff. Hopefully I am taking the correct steps. Attached is a copy of the hjt log. Thanks, Solotekk [saving space - attachment deleted by admin]You'll do better, if you start with those steps from evilfantasy's guide.BTW...HJT log looks strange. Only O23 (services) entries listed.Quote from: Broni on December 18, 2007, 08:45:12 PM BTW...HJT log looks strange. Only O23 (services) entries listed. Ditto. There are some strange entries even though there are only a few. This may be a case for renaming HijackThis before running anymore scans with it. Delete the HijackThis shortcut you have on the desktop. Enable Viewing Of Hidden System Files & Folders 1. Click Start. 2. Select Control Panel. 3. Select the Tools menu and click Folder Options. 4. Select the View Tab. 5. Under the Hidden files and folders heading select Show hidden files and folders. 6. Uncheck the Hide extensions for known file types option. 7. Uncheck the Hide protected operating system files (recommended) option. 8. Click Apply. 9. Click OK. Now go to C:\Program Files\Trend Micro\HijackThis\HijackThis.exe Right click on the HijackThis.exe and select Rename. Rename it to chscan.exe and press enter. Now right click the chscan.exe and send it to the desktop as a shortcut. As Broni stated, you should run the other scans and post the logs. Run a new HijackThis scan last and post that also.thanks. I will get started on that, and then post the logs. ttys here are the scan log files. let me know what you suggest. thanks, solotekk [saving space - attachment deleted by admin]Open HijackThis and select Do a system scan only then place a check mark next to: O2 - BHO: (no name) - {5136B3A0-0856-4D2E-9BA8-C657448668D1} - (no file) O2 - BHO: (no name) - {8E3FBDE2-7DBD-4040-85D9-29BBC559C129} - (no file) O2 - BHO: (no name) - {973FBB2F-AB8C-4637-92A8-E55F83D64E45} - (no file) O2 - BHO: (no name) - {FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856} - (no file) O20 - Winlogon Notify: fccaxwu - fccaxwu.dll (file missing) O20 - Winlogon Notify: vtuurss - vtuurss.dll (file missing) Close all windows except for HijackThis and click Fix checked ---------- Please download Combofix by sUBs from either here or here Save Combofix.exe to your your Desktop. Double click combofix.exe & follow the prompts. (from the keyboard select 1 and press enter) When finished, it will produce a log for you. Attach that log in your next reply. Do not mouseclick combofix's WINDOW while it's running. That may cause your computer to stall Also add a new HijackThis log.here are the logs. oh YEAH, there is a program that seems fishy to me. its in the add/remove programs list and it says that in order for me to uninstall completely, i should go to the WEBSITE. the website name is www.outerinfo.com my client has never heard of the program or the website. can you investigate this and let me know if it's legit? and is it in the logs? thx. [saving space - attachment deleted by admin]Open HijackThis and select Do a system scan only then place a check mark next to: O4 - HKCU\..\Run: [QdrPack10] "C:\Program Files\QdrPack\QdrPack10.exe" Close all windows except for HijackThis and click Fix checked The locate and delete this file/folder QdrPack10.exe Found at C:\Program Files\QdrPack\QdrPack10.exe ---------- Delete these files/folders, as follows: * Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE): Quote File:: C:\WINDOWS\QTFont.qfn C:\WINDOWS\QTFont.for C:\WINDOWS\system32\rstwa.ini2 C:\WINDOWS\system32\rstwa.ini C:\WINDOWS\system32\kpdsrngl.exe C:\WINDOWS\io43mvuiw4kj.exe C:\windows\system32\kpdsrngl.exe Folder:: C:\WINDOWS\system32\ineWc01 C:\temp\tpBe12 C:\WINDOWS\system32\mm6 C:\WINDOWS\system32\hv2 C:\WINDOWS\system32\dr1 Registry:: [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\io43mvuiw4kj] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{51-1E-ED-D1-ZN}] * Save this as CFScript on the desktop. * Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully! * ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply. Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang ---------- Repost a new HijackThis log and let me know how things are now. ok, so i had to leave my clients house...they were going christmas shopping...... which means i won't be able to make it back there untill sometime tomorrow. When I return, I will follow your instructions from your last post. Then I will send you the hjt scan log. Thank you for your help once again. I appreciate it. Have a good evening. No problem. Don't forget the Combofix.txt also. here are the log files from hjt and combofix. thx. [saving space - attachment deleted by admin]Please download, update and run a-squared free At the main menu, click Scan Now, there will be 4 options, choose Deep Scan. * If malware is found, click the button Remove Selected Malware * If malware is found, select all found and click Quarantine selected objects * Click Save Report. Save the report to SOMEWHERE convenient, such as your desktop * Add the report as an attachment in your next post.

Answer»

Would it be possible for someone to take a look at my hijackthis log? I have no idea how to read these. My client was complaining of pop-ups and threat alerts from AVG stating that her personal information was being compromised. I rushed to her house this evening and immediately installed HijackThis and ran a scan, then saved the log. Next, I updated her AVG, and now I am running a scan. So far the scan has found 22 trojan/viruses.

After the scan is complete, my plan of attack is to follow evilfantasy's step by step Guide to removing malware etc. so I can get rid of all that nasty stuff.

Hopefully I am taking the correct steps.
Attached is a copy of the hjt log.

Thanks,
Solotekk

[saving space - attachment deleted by admin]You'll do better, if you start with those steps from evilfantasy's guide.BTW...HJT log looks strange. Only O23 (services) entries listed.Quote from: Broni on December 18, 2007, 08:45:12 PM

BTW...HJT log looks strange. Only O23 (services) entries listed.

Ditto.

There are some strange entries even though there are only a few.

This may be a case for renaming HijackThis before running anymore scans with it.

Delete the HijackThis shortcut you have on the desktop.

Enable Viewing Of Hidden System Files & Folders

1. Click Start.
2. Select Control Panel.
3. Select the Tools menu and click Folder Options.
4. Select the View Tab.
5. Under the Hidden files and folders heading select Show hidden files and folders.
6. Uncheck the Hide extensions for known file types option.
7. Uncheck the Hide protected operating system files (recommended) option.
8. Click Apply.
9. Click OK.

Now go to C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Right click on the HijackThis.exe and select Rename.
Rename it to chscan.exe and press enter.
Now right click the chscan.exe and send it to the desktop as a shortcut.

As Broni stated, you should run the other scans and post the logs. Run a new HijackThis scan last and post that also.thanks. I will get started on that, and then post the logs.

ttys
here are the scan log files.

let me know what you suggest.

thanks,
solotekk

[saving space - attachment deleted by admin]Open HijackThis and select Do a system scan only then place a check mark next to:

O2 - BHO: (no name) - {5136B3A0-0856-4D2E-9BA8-C657448668D1} - (no file)
O2 - BHO: (no name) - {8E3FBDE2-7DBD-4040-85D9-29BBC559C129} - (no file)
O2 - BHO: (no name) - {973FBB2F-AB8C-4637-92A8-E55F83D64E45} - (no file)
O2 - BHO: (no name) - {FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856} - (no file)
O20 - Winlogon Notify: fccaxwu - fccaxwu.dll (file missing)
O20 - Winlogon Notify: vtuurss - vtuurss.dll (file missing)

Close all windows except for HijackThis and click Fix checked

----------

Please download Combofix by sUBs from either here or here

Save Combofix.exe to your your Desktop.

Double click combofix.exe & follow the prompts. (from the keyboard select 1 and press enter)
When finished, it will produce a log for you.
Attach that log in your next reply.

Do not mouseclick combofix's WINDOW while it's running. That may cause your computer to stall

Also add a new HijackThis log.here are the logs.

oh YEAH, there is a program that seems fishy to me. its in the add/remove programs list and it says that in order for me to uninstall completely, i should go to the WEBSITE.
the website name is www.outerinfo.com
my client has never heard of the program or the website.

can you investigate this and let me know if it's legit?
and is it in the logs?
thx.

[saving space - attachment deleted by admin]Open HijackThis and select Do a system scan only then place a check mark next to:

O4 - HKCU\..\Run: [QdrPack10] "C:\Program Files\QdrPack\QdrPack10.exe"

Close all windows except for HijackThis and click Fix checked

The locate and delete this file/folder QdrPack10.exe Found at C:\Program Files\QdrPack\QdrPack10.exe

----------

Delete these files/folders, as follows:

* Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):

Quote

File::
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\QTFont.for
C:\WINDOWS\system32\rstwa.ini2
C:\WINDOWS\system32\rstwa.ini
C:\WINDOWS\system32\kpdsrngl.exe
C:\WINDOWS\io43mvuiw4kj.exe
C:\windows\system32\kpdsrngl.exe

Folder::
C:\WINDOWS\system32\ineWc01
C:\temp\tpBe12
C:\WINDOWS\system32\mm6
C:\WINDOWS\system32\hv2
C:\WINDOWS\system32\dr1

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\io43mvuiw4kj]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{51-1E-ED-D1-ZN}]

* Save this as CFScript on the desktop.
* Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

* ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang

----------

Repost a new HijackThis log and let me know how things are now.
ok, so i had to leave my clients house...they were going christmas shopping...... which means i won't be able to make it back there untill sometime tomorrow. When I return, I will follow your instructions from your last post. Then I will send you the hjt scan log.

Thank you for your help once again. I appreciate it.
Have a good evening.

No problem.

Don't forget the Combofix.txt also.

here are the log files from hjt and combofix.
thx.

[saving space - attachment deleted by admin]Please download, update and run a-squared free

At the main menu, click Scan Now, there will be 4 options, choose Deep Scan.

* If malware is found, click the button Remove Selected Malware
* If malware is found, select all found and click Quarantine selected objects
* Click Save Report. Save the report to SOMEWHERE convenient, such as your desktop
* Add the report as an attachment in your next post.

Solve : hjt log files?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment