LinkBack URL
About LinkBacksSince I already have Kaspersky Internet Security 2010 installed,would it be a good thing to install Avira as well?Or shud I uninstall Kaspesky first??Originally Posted by SammEl
Since I already have Kaspersky Internet Security 2010 installed,would it be a good thing to install Avira as well?Or shud I uninstall Kaspesky first??
Let kaspersky complete its scan. Dont worry about installing Avira, you can do this after kaspersky has completed its scan (however remove kaspersky.)
I need a new complete hijackthis log before i can continue (your last one didnt post correctly).
Cheers.
Done.
Could not find DisableTaskMgr entry here.
Still task manager not coming up.Will try this in Safe Mode (Donno whether its possible to login to XP Safe Mode now,wasn't possible till yesterday)...
Thanks
Sorry,dont know what had happened.Please find the Hijack This Log File :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:04:01 AM, on 4/25/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\SYSTEM32\astsrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\nlssrv32.exe
J:\amitdb\bin\nmesrvc.exe
J:\amitdb\bin\isqlplussvc.exe
J:\amitdb\BIN\TNSLSNR.exe
J:\amitdb\jdk\bin\java.exe
j:\amitdb\bin\ORACLE.EXE
C:\WINDOWS\system32\cmd.exe
J:\amitdb\perl\5.8.3\bin\MSWin32-x86-multi-thread\perl.exe
J:\amitdb\jdk\bin\java.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
J:\amitdb\bin\emagent.exe
F:\Program Files\Irfanview\i_view32.exe
F:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - F:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [MDS_Menu] "F:\Program Files\CyberLink\MediaShow Espresso\MediaShow Espresso\MUITransfer\MUIStartMenu.exe" "F:\Program Files\CyberLink\MediaShow Espresso\MediaShow Espresso" UpdateWithCreateOnce "Software\CyberLink\MediaShow Espresso\5.5"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1259424836671
O17 - HKLM\System\CCS\Services\Tcpip\..\{4363DC25-F2D6-42B0-B029-73575FC6AD35}: NameServer = 172.16.0.1,202.54.1.63
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - F:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPE R~1\KASPER~1\kloehk.dll
O23 - Service: 1239710008 (.1239710008) - Unknown owner - C:\Program Files\1239710008\Amitava1239710008L.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AST Service (astcc) - Nalpeiron Ltd. - C:\WINDOWS\SYSTEM32\astsrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HDD & SSD access service - Unknown owner - C:\Program Files\Common Files\BinarySense\disksvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: mysql - Unknown owner - F:\xampp\mysql\bin\mysqld.exe (file missing)
O23 - Service: Nalpeiron Licensing Service (nlsX86cc) - Nalpeiron Ltd. - C:\WINDOWS\system32\nlssrv32.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: OracleDBConsoleamitdb - Oracle Corporation - J:\amitdb\bin\nmesrvc.exe
O23 - Service: OracleOraDb10g_home2iSQL*Plus - Oracle - J:\amitdb\bin\isqlplussvc.exe
O23 - Service: OracleOraDb10g_home2TNSListener - Unknown owner - J:\amitdb\BIN\TNSLSNR.exe
O23 - Service: OracleServiceAMITDB - Oracle Corporation - j:\amitdb\bin\ORACLE.EXE
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: PrTgressep - Unknown owner - C:\WINDOWS\system32\srvany.exe
--
End of file - 7772 bytes
Thanks
Kaspersky obviously isn't working very well in this instance. Do manual scans from your Windows 7 installation. Uninstalling it wouldn't do any harm - you can put it back on when it's cleaned up.
Malwarebytes, Spybot & avira are decent programs, but it's not often that *everything* is found with them. You need to do manual checks with rootkit finders, autoruns to disable everything which isn't required, and a few other things to find "odd"-looking stuff.
This thread could go on for a few days yet, unless someone remotes on to the PC.
Combofix could potentially be the last resort - sometimes it can delete files it shouldn't, for example I've seen one person not be able to use AutoCAD after using Combofix.
Ok is C:\Windows\System32 is taskmgr.exe present?
Go to Start>Run>cmd
type followed by enter -
sc stop ".1239710008"
sc delete ".1239710008"
sc stop "PowerManager"
sc delete "PowerManager"
Hopefully it will say SUCCESS after each.
Next select these in hijackthi and click fix -
Reboot. Post a fresh copy of hijackthis.Code:O23 - Service: 1239710008 (.1239710008) - Unknown owner - C:\Program Files\1239710008\Amitava1239710008L.exe (file missing) O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing) O23 - Service: HDD & SSD access service - Unknown owner - C:\Program Files\Common Files\BinarySense\disksvc.exe (file missing) O23 - Service: mysql - Unknown owner - F:\xampp\mysql\bin\mysqld.exe (file missing) O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
Trying Combofix or SDfix would be a good idea. You can remote to his pc if you/him like, though i usually dont do this myself.
oops forgot to mention no taskmgr.exe not present in C:\Windows\System32.Taskman.exe is present(dont know whats that)
Ok also do the name servers 172.16.0.1,202.54.1.63 mean anything to you? As they seem to keep returning in the hijackthis log. Are you making sure to check
O17 - HKLM\System\CCS\Services\Tcpip\..\{4363DC25-F2D6-42B0-B029-73575FC6AD35}: NameServer = 172.16.0.1,202.54.1.63
When running hijack this? or are these nameservers indeed legit?
Is this C:\Windows\System32.Taskman.exe the correct path or do you mean C:\Windows\System32\Taskman.exe
Try uploading this file to jotti and post the results.
Are you able to find taskmgr.exe when running a search on the computer?
This is me if Amitava83 wants someone to go on to do a quicker cleanup: http://www.crossloop.com/smargh
I get far too fed up trying to guide people through checking these things - it's easier to just remote on and get it over with.
First nameserver look like a legit India ISP DNS server, second is non-routable though but maybe it's only visible inside the ISP's network (or they're doing NAT). Is the OP using a router or is the PC connected directly to the Internet?
CrazyMonkey (24-04-2010)
Can both you and CrazyMonkey come on Remote with me,at your convenient time and get this over with???
I'm a photographer by profession and all my Photoshop CS4 plugins which I painstakingly acquired over past couple of years work ONLY on XP but not on Win7 Ultimate.I do not even have backups of all other editing softwares I use regularly on XP.
Otherwise I wouldn't have hesitated a sec to reformat XP.
But as the situation is now,reformatting would mean I'd be out of work for quite sometime and I have a family to support.
Help me out guys,thats all I can say.
I am available to remote tonight for the next hour or so. I presume teamviewer would be easiest?
Update me on whether or not you want to take this route.
Would be easiest if you PM me your teamviewer ID and password if thats is what you want to do.
Cheers.
172.16.0.1--my Preferreed DNS Server
202.54.1.63--Alternate DNS Server
Its C:\WINDOWS\system32\Taskman.exe
Here it is:
http://virusscan.jotti.org/en-GB/sca...040243d844f07c
And here is the latest Log from MBAM:
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org
Database version: 3930
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180
4/25/2010 1:54:58 AM
mbam-log-2010-04-25 (01-54-58).txt
Scan type: Full scan (C:\|)
Objects scanned: 153960
Time elapsed: 20 minute(s), 58 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conime.exe (Security.Hijack) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
When i do a search for taskmgr.exe Windows finds TASKMGR.EXE-118158DD.pf in C:\WINDOWS\Prefetch .In D Drive(for Win 7),it finds an actual taskmgr.exe.
yes that would be great.just let me download and install teamviewer.
Ok do you want me to remote you or continue working on here? Your choice, i dont mind.
EDIT - ok, just pm me the details when you are ready, or we can discuss over msn if you perfer?
Hello,
Ihave pinged you Teamviewer details through private message....I'm ready for the session.
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
