Posts: 525
Threads: 24
Joined: Mar 2010
Check my HJT log.
Code: Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 12:16:52, on 06.04.2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\NoriHF.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Valve\hl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HiJackThis\TrendMicro\HiJackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
F2 - REG:system.ini: Shell=NoriHF.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [EPSON Stylus DX4400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICAE.EXE /FU "C:\WINDOWS\TEMP\E_S25B.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe" -automount
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: http://89.185.204.1
O15 - ESC Trusted IP range: http://89.185.204.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 5091 bytes
Posts: 120
Threads: 8
Joined: Feb 2010
Reputation:
1
Not trying to stray you away from this forum, but you would most likely get a faster reply if you posted it on the Hackforums.net HJT section.
Posts: 384
Threads: 23
Joined: Apr 2010
Reputation:
6
I agree with php, but I'll try to say what I think.
I am no HJT expert or something, but from the log I "THINK" you are clean. No guarrante or something ^^
I think you should wait for an expert-
Posts: 110
Threads: 1
Joined: Dec 2009
Reputation:
1
04-06-2010, 07:49 AM
(This post was last modified: 04-06-2010, 07:51 AM by .D0T'.)
Do you recognise the file C:\WINDOWS\NoriHF.exe?
Posts: 384
Threads: 23
Joined: Apr 2010
Reputation:
6
04-06-2010, 07:51 AM
(This post was last modified: 04-06-2010, 07:54 AM by Support.)
Ops, I just saw it and was gonna post about the same :/
Scan Quote:C:\WINDOWS\NoriHF.exe
at http://scanner.novirusthanks.org or http://virustotal.com and please post the results here.
EDIT: IMO you are definitely infected and by this user from HF. http://www.hackforums.net/member.php?act...uid=151149
Try PMing him and tell him to remove it since infecting HF members is against the rules.
Posts: 110
Threads: 1
Joined: Dec 2009
Reputation:
1
04-06-2010, 07:57 AM
(This post was last modified: 04-06-2010, 07:59 AM by .D0T'.)
Pi[X]el, the member 'nori' here at SupportForums, is actually 'NoriHF' at HackForums, I believe.
Posts: 384
Threads: 23
Joined: Apr 2010
Reputation:
6
Maybe, I didn't go through the users here at SF. I just did a quick google search, but it may be possible.
Posts: 528
Threads: 3
Joined: Oct 2009
Reputation:
31
------------
Hi,
Please be patient as I analyze your log for any infections present on your system. If found, I will present you the proper removal instructions for disinfecting your system.
Please do not create any new threads on this while we are working on your system, as it wastes another volunteer's time. Also, while we are working on this system, I'd appreciate it if you do not install any new software, as it may hinder our process.
Thanks for your patience.
------------ - Pre-Step
Click here to download ATF-Cleaner by Atribune. Save it to your desktop.
- Double-click ATF-Cleaner.exe to run it.
- Under 'Main' check the 'Select All' box.
- Press the 'Empty Selected' button.
- If you use Firefox browser:
- Click Firefox at the top and then check the 'Select All' box.
- Press the 'Empty Selected' button.
- Note: If you wish to keep your saved passwords, click No at the prompt.
- If you use Opera browser:
- Click Opera at the top and then check the 'Select All' box.
- Press the 'Empty Selected' button.
- Note: If you wish to keep your saved passwords, click No at the prompt.
- Click 'Exit' on the Main menu to close the program.
------------ - Step 1
Please run HijackThis, click Do a system scan only, and place a check next to the following line(s) if present:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
F2 - REG ystem.ini: Shell=NoriHF.exe
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - (no file)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O15 - Trusted IP range: http://89.185.204.1
O15 - ESC Trusted IP range: http://89.185.204.1
Then, close all other open windows and click Fix Checked. Reboot.
------------ - Step 2
Please download Malwarebytes' AntiMalware.
Double click mbam-setup.exe to install the application.- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select Perform Full Scan, then click Scan.
The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to restart. Restart if it tells you to.
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy and paste the entire report in your next reply.
------------ - Step 3
Download DDS.scr by sUBs from one of the following links & save it to your desktop.
Link 1
Link 2- Double-Click on dds.scr and a command window will appear. This is normal
- Shortly after two logs will appear, DDS.txt & Attach.txt
- A window will open instructing you save & post the logs
- Save the logs to a convenient place such as your desktop
- Copy the contents of both logs & post in your next reply
------------ - Step 4
Do you recognize this file? If not, navigate to the below location and delete it.
Quote:C:\WINDOWS\NoriHF.exe
------------ - In your next post, please provide the following:
- A Fresh HJT Log
- DDS Log (with Attach.txt)
- MBAM Log
------------
------------
Posts: 384
Threads: 23
Joined: Apr 2010
Reputation:
6
Paradoxum, are you official HJT Log.. Helper?
Posts: 925
Threads: 41
Joined: Oct 2009
Reputation:
59
04-06-2010, 10:39 AM
(This post was last modified: 04-06-2010, 10:40 AM by Skill.)
(04-06-2010, 10:33 AM)Pi[X]el Wrote: Paradoxum, are you official HJT Log.. Helper?
Yes, he is. & even if he wasn't, I'd still trust him to help me remove any infections from my system (if I ever did get any).
|
![[Image: 3326yvl.jpg]](http://i45.tinypic.com/3326yvl.jpg)