Results 1 to 2 of 2

Thread: HJT Log

  1. #1
    Join Date
    Jul 2009

    Post HJT Log

    Windows XP Home
    GateWay P4
    This problem disable the MS Firewall, the MS Security Center, the Norton antivirus software, remove access to regedit, changed user policies, disable safe boot, removed folder options from window explorer tool list, would not allow any exe file to launch program, would not allow web browser to link to any site that had HJT, Spybot, Etc Etc,

    I have gotten around all of those issues, and have run every program I know to remove this infection, (25+ years experience) I've never seen anything like this one.

    I am very careful with this type of infection, but I do believe it has now infected my clean machine via usb drive.

    Here is the log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:24:10 PM, on 7/8/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16827)
    Boot mode: Safe mode

    Running processes:
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
    F3 - REG:win.ini: load=C:\WINNT\system32\msnfhs.exe
    F3 - REG:win.ini: run=C:\WINNT\system32\msjozfxv.exe
    O2 - BHO: (no name) - {746ae4e8-aedd-4a3b-9ea8-c9373c1dac12} - c:\winnt\system32\sfsgebs.dll
    O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKLM\..\Policies\Explorer\Run: [exec] C:\WINNT\system32\msrqtdq.exe
    O4 - HKUS\S-1-5-21-3563514748-1417066420-3376078148-1005\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Pat')
    O4 - HKUS\S-1-5-21-3563514748-1417066420-3376078148-1005\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1 (User 'Pat')
    O4 - HKUS\S-1-5-21-3563514748-1417066420-3376078148-1005\..\Run: [A00F19E94.exe] C:\DOCUME~1\Pat\LOCALS~1\Temp\_A00F19E94.exe (User 'Pat')
    O4 - HKUS\S-1-5-21-3563514748-1417066420-3376078148-1005\..\Run: [] C:\DOCUME~1\Pat\LOCALS~1\Temp\mqbld.exe (User 'Pat')
    O4 - HKUS\S-1-5-21-3563514748-1417066420-3376078148-1005\..\Run: [hsf7husjnfg98gi498aejhiugjkdg4] C:\DOCUME~1\Pat\LOCALS~1\Temp\mqbld.exe (User 'Pat')
    O4 - HKUS\S-1-5-21-3563514748-1417066420-3376078148-1005\..\Run: [Windows System Recover!] C:\DOCUME~1\Pat\LOCALS~1\Temp\lsass.exe (User 'Pat')
    O4 - HKUS\S-1-5-21-3563514748-1417066420-3376078148-1005\..\Run: [A00F56887.exe] C:\DOCUME~1\Pat\LOCALS~1\Temp\_A00F56887.exe (User 'Pat')
    O4 - HKUS\S-1-5-21-3563514748-1417066420-3376078148-1005\..\Run: [kell] c:\program Files\Manson\liser.exe (User 'Pat')
    O4 - HKUS\S-1-5-21-3563514748-1417066420-3376078148-1005\..\Run: [ttool] C:\WINNT\9129837.exe (User 'Pat')
    O4 - HKUS\S-1-5-21-3563514748-1417066420-3376078148-1006\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe (User 'Bill')
    O4 - HKUS\S-1-5-21-3563514748-1417066420-3376078148-1007\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl (User 'Xavier')
    O4 - HKUS\S-1-5-21-3563514748-1417066420-3376078148-1008\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Mister W')
    O4 - HKUS\S-1-5-21-3563514748-1417066420-3376078148-1008\..\RunOnce: [FlashPlayerUpdate] C:\WINNT\system32\Macromed\Flash\FlashUtil9f.exe (User 'Mister W')
    O4 - S-1-5-21-3563514748-1417066420-3376078148-1005 Startup: fmnupd32.exe (User 'Pat')
    O4 - S-1-5-21-3563514748-1417066420-3376078148-1005 Startup: zqosys32.exe (User 'Pat')
    O4 - S-1-5-21-3563514748-1417066420-3376078148-1005 User Startup: fmnupd32.exe (User 'Pat')
    O4 - S-1-5-21-3563514748-1417066420-3376078148-1005 User Startup: zqosys32.exe (User 'Pat')
    O4 - S-1-5-21-3563514748-1417066420-3376078148-1006 Startup: fmnupd32.exe (User 'Bill')
    O4 - S-1-5-21-3563514748-1417066420-3376078148-1006 Startup: zqosys32.exe (User 'Bill')
    O4 - S-1-5-21-3563514748-1417066420-3376078148-1006 User Startup: fmnupd32.exe (User 'Bill')
    O4 - S-1-5-21-3563514748-1417066420-3376078148-1006 User Startup: zqosys32.exe (User 'Bill')
    O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} -
    O20 - Winlogon Notify: kiftcwgz - C:\WINNT\SYSTEM32\sfsgebs.dll
    O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINNT\
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
    O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINNT\

    End of file - 4116 bytes

  2. #2
    photolady's Avatar
    photolady is offline Lifetime Friend of Site Staff
    Join Date
    Mar 2002
    At my computer, cruising VDR and watching your back
    Atech, welcome to Virtual Dr. We have a procedure here you should follow before posting a hijackthis log. Please follow the instructions below:

    IMPORTANT NOTE! Because hijack this will list the names of various Malware on your PC, your antivirus may react to the names of said Malware and interpret it as a threat. This is a false positive, which can safely be disregarded. Nothing in this forum actually poses a threat to your computer.

    All members wishing to post their HijackThis logs please observe the below rules and instructions before posting your HijackThis log.

    If you desire to give assistance in the hijackthis forum, please PM one of our Moderators with some links of where you have previously/currently helped.
    If you do not have permission from our staff to assist with hijackthis logs etc., please refrain from doing so until given the all clear.
    Thank you for your co-operation.

    • Do NOT PM or Email logs!
    • When posting your log please explain in detail the problems you are experiencing with your computer. This will be a great help.
    • Resolved Hijackthis logs will be marked off as SOLVED and will be Locked. If the original poster of the log wishes to have their thread re-opened for some reason then please send a PM or email to one of the MODS. Include the link to the thread and details why you need it reopened.
    • Please do NOT post your HijackThis log as an attachment. They will be - regrettably - IGNORED. Our members don't need long files downloaded to their computers; and if your computer IS infected, we SURE aren't going to download your files!


    Please do an online virus scan with at least two of the following programs, and post the results with your other logs when done:

    Housecall at TrendMicro
    Make sure you tick Auto Clean

    BitDefender Free Online Virus Scan
    Make sure you tick AutoClean under Scan Options

    Panda ActiveScan
    Make sure you tick Disinfect automatically under Scan Options

    eTrust Antivirus Web Scanner


    (If any of the online scanners stall or refuse to run properly skip to the next

    Please update Windows:

    Users need to make sure you are up to date with critical updates and service packs* from
    Windows Update

    XP users need to download Service Pack 1a, if you dont have it already.

    An un-patched Windows operating system will get re-infected within minutes of connecting to the internet.

    We require you to have critical updates installed before posting a log, otherwise we're both wasting our time.

    *Note to XP users:Please do not download/upgrade to Service Pack 2 until you are malware free. SP2 installed on a infected computer can cause problems. Once you are clean go ahead and install.


    Print these instructions out.

    NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner4.exe

    1. Download SUPERAntiSpyware Free for Home Users:

    * Double-click SUPERAntiSpyware.exe and use the default settings for installation.
    * An icon will be created on your desktop. Double-click that icon to launch the program.
    * If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
    * Close SUPERAntiSpyware.


    Restart computer in Safe Mode.
    To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

    * Open SUPERAntiSpyware.
    * Under Configuration and Preferences, click the Preferences button.
    * Under [b]General and Startup" tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
    * Click the Scanning Control tab.
    * Under Scanner Options make sure the following are checked (leave all others unchecked):
    - Close browsers before scanning.
    - Scan for tracking cookies.
    - Terminate memory threats before quarantining.

    * Click the Close button to leave the control center screen.
    * Back on the main screen, under Scan for Harmful Software click Scan your computer.
    * On the left, make sure you check C:\Fixed Drive.
    * On the right, under Complete Scan, choose Perform Complete Scan.
    * Click Next to start the scan. Please be patient while it scans your computer.
    * After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
    * Make sure everything has a checkmark next to it and click Next.
    * A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
    * If asked if you want to reboot, click Yes.
    * To retrieve the removal information after reboot, launch SUPERAntispyware again.
    - Click Preferences, then click the Statistics/Logs tab.
    - Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    - If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    - Please copy and paste the Scan Log results in your next reply.

    * Click Close to exit the program.
    Post SUPERAntiSpyware log.
    NOTE: Tracking cookies can be omitted from the log.



    2. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
    (Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform full scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt


    3. Download gmer.zip: http://www.gmer.net/files.php
    Unzip the file, and double click on gmer.exe, select Rootkit tab and click the Scan button.
    When scan is completed, click Save button, and save the results as gmer.log
    Warning ! Please, do not select the "Show all" checkbox during the scan.
    Post the log to your next reply.


    4. Download, install, and run HijackThis:
    Post HijackThis log.
    Do NOT attempt to "fix" anything!

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

    Above layout courtesy of Broni

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts