TechSpot

Can someone analyze my hijackthis log?

By hafizhah
Apr 13, 2007
  1. i need help.
    my laptop was infected with trojan and it has been removed according to the repairman (but im not certain that it is).

    the problem i have now is, i cant view my hidden files & folder.
    whenever i click to view, it will automatic-ly revert back to do not show.

    can someone analyze the attached hijackthis log and tell me what i can do to make it better?

    thank you soo much...it has been going on for the past few months.
     
  2. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Your HijackThis log is clean

    Do fix this entry though:
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)

    I doubt your system is infected with malware at all. (But I'll have to look at your AVG antispyware and ComboFix logs to be sure. To find out the procedures for scanning and saving logs, please see HERE.)

    I doubt we'll find anything though, this appears to be a problem unrelated to web security issues or malware.
    You might wish to post your thread in the Windows OS forums.
     
  3. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    momok: The O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing) entry is perfectly safe and shouldn`t be fixed. It part of the software for Kodak digital cameras.

    Regards Howard :)
     
  4. momok

    momok TS Rookie Posts: 2,265

    Sorry about that Hafizhah.
    Thanks Howard =)
     
  5. hafizhah

    hafizhah TS Rookie Topic Starter

    i did what momok suggested.

    i could do step 1 - 12 except 13 cause i couldnt view my hidden files and folder.
    and so im stucked and i dont know what else to do.

    For step 11, there were no rootkit found.
    and for step 12, i shall attach the log.

    should i just go ahead with step 13 regardless of the "unable to view hidden files & folders"?
     
  6. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Yes please do so. Your system appears to be infected by a trojan, but AVG could possibly remove that. Do go ahead with step 13, and post your AVG log after you quarantined any problems.
     
  7. hafizhah

    hafizhah TS Rookie Topic Starter

    i've done step 13 and i dont know how nor what i did but i'm able to view my hidden files and folders now.

    but is there still any problems with my system?
     
  8. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Your AVG log only shows tracking cookies, which are not a big problem. However your log shows 'no action taken' for all the entries. I suggest you do the scan and quarantine all items.

    After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked":
    O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citri x/wficat-no-eula.cab

    Apart from that, from what I can tell, your system is clean.
    With regards to the problem you had previously, it is likely to be unrelated to malware.

    Turn off system restore (XP/ME only). Learn how to do that HERE.

    This will remove all the remaining nasties from your old restore points.
    After that turn system restore back on.
    This would have created a new safe and clean restore point for your system.

    Should you have any further problems, please post in this thread.


    Regards,
    Yours friendly Momok =)
     
  9. hafizhah

    hafizhah TS Rookie Topic Starter

    alrytes..thanks.

    i have another question...,
    is it possible to remove trojan in a thumbdrive?
    if it is, how do i go about to do it?
    and if i were to connect my thumbdrive to my laptop, my laptop will be at risk right?
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    If scanning the thumb drive with your antivirus programme doesn`t get rid of the virus, then the best way to remove the virus is to reformat it.

    Regards Howard :)
     
  11. hafizhah

    hafizhah TS Rookie Topic Starter

    i have scanned my 2 thumbdrive and also my hp mem card.

    the problem that i have is that i cant open the drive by double-clicking it.
    a "open with" window appears. but if i left-click>open, it opens.

    and it still occur even after i have scanned and remove the trojan and a threat: downloader.


    why is it so?
    do i have to reformat all 3 eventually?
     
  12. momok

    momok TS Rookie Posts: 2,265

    Hi,

    (bump)
    I'm not sure how to deal the threats in such cases. But as Howard has explained, the best way is to reformat the thumbdrives.

    I wonder if anyone one else here has the expertise to help out?


    Regards,
    Your friendly Momok =)
     
  13. hafizhah

    hafizhah TS Rookie Topic Starter

    i installed flash_disinfector.exe and paste in into my thumbdrives.

    i run it and after it is done, i could open my thumbdrives.
    i have yet to try it on my hp mem card but i think it should work the same.

    so can i conclude that since anti-virus scan is clean and now, i can open my ext drives, it is no longer infected with viruses?

    while using internet explorer...

    an iexplore window "not enough process to proceed command" keeps appearing and wont go away even if i click close nor OK.

    any idea what it is?
     
  14. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Post a fresh HJT log and we shall see if your system has been reinfected.

    Regards,
    Your friendly Momok =)
     
  15. hafizhah

    hafizhah TS Rookie Topic Starter

    alrytes..here is the latest hjt log.

    thanks for taking the trouble to assist me..
    appreciate it alot..really. thanks. =)
     
  16. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is clean as a whistle.

    I`m not sure what the error message you`re getting means. Are you sure that`s the exact error message?

    Regards Howard :)

    This thread is for the use of hafizhah only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  17. hafizhah

    hafizhah TS Rookie Topic Starter

    yups..definitely sure thats the message..
    but since hjt log is clean, there shdnt be much of a problem..

    much thanks for all the help offered.
    i feel more relieved now.
    thanks again.
     
  18. hafizhah

    hafizhah TS Rookie Topic Starter

    heys, i tried those 13 steps on my bf comp cause thanks to me, his pc has been badly infected...

    so, could someone help to analyze his logs and how can i make his pc better?
    and btw, there were no rootkit found.
    thank you. =)
     
  19. momok

    momok TS Rookie Posts: 2,265

    Hi,

    That system is infected with a worm, some adware and other malware.

    You may wish to copy and paste these instructions on notepad for easier reference later.

    Download the Pocket Killbox from HERE. Extract it but don`t run it yet.

    Boot into safe mode under your normal user name. See how HERE

    Next turn on "Show all files and folders, including hidden and system". See how HERE

    Go to start > run and type services.msc. Press the enter key.
    Search for the following services(if there) double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.
    3721.exe
    WinNetwork.exe
    ALCMTR.EXE
    WinNetwork.DLL


    Open your task manager by pressing holding ctrl, alt and pressing del. Alternatively, use ctrl + shift + esc. Go to the processes tab, and end the following processes, if found:

    3721.exe
    WinNetwork.exe
    ALCMTR.EXE
    WinNetwork.DLL


    After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O23 - Service: Windows_ServerDdos - Unknown owner - C:\WINDOWS\system32\3721.exe (file missing)
    O23 - Service: WinNetwork - Unknown owner - C:\WINDOWS\system32\WinNetwork.exe (file missing)

    Close HJT.

    Run the killbox program which you downloaded. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. (You can copy and paste the filepaths)

    C:\WINDOWS\system32\3721.exe
    C:\WINDOWS\system32\WinNetwork.exe
    C:\WINDOWS\ALCMTR.EXE
    C:\WINDOWS\system32\WinNetwork.DLL
    C:\WINDOWS\system32\swxcacls.exe
    C:\WINDOWS\system32\Process.exe
    C:\WINDOWS\system32\dumphive.exe
    C:\WINDOWS\system32\swsc.exe
    C:\WINDOWS\system32\SrchSTS.exe
    C:\WINDOWS\system32\tmp.reg
    C:\WINDOWS\system32\swreg.exe
    C:\FOUND.013
    C:\WINDOWS\WHKEY9.DLL
    C:\WINDOWS\WHKEY8.DLL
    C:\FOUND.012
    C:\FOUND.011
    C:\FOUND.010
    C:\FOUND.009
    C:\FOUND.008
    C:\WINDOWS\WHKEY.DLL
    C:\WINDOWS\WHKEY6.DLL
    C:\WINDOWS\WHKEY5.DLL
    C:\WINDOWS\WHKEY4.DLL
    C:\WINDOWS\WHKEY3.DLL
    C:\WINDOWS\WHKEY2.DLL
    C:\WINDOWS\WHKEY1.DLL
    C:\WINDOWS\wh.DLL
    C:\FOUND.007
    C:\FOUND.006
    C:\WINDOWS\Down(0).exe
    C:\WINDOWS\down(1).exe
    E:\sxs2.exe

    (Please back up your registry before you do the next step)
    Go to Start > Run and type regedit. Press Enter.
    Press ctrl + F and search for all instances of the following files and delete them.
    ie.exe
    sxs2.exe

    Close the program.

    Reboot into normal mode and rehide your protected OS files.

    Thereafter, please post a fresh HJT and AVG Antispyware log from normal mode as an attachment into this thread.


    Regards,
    Your friendly Momok =)
     
  20. hafizhah

    hafizhah TS Rookie Topic Starter

    i have done as above...

    im not too sure why but now nothing can be typed on his keyboard.
    even after he reboots couple of times, it is still the same.

    anyway, is there any problems left with his system?
     
  21. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Your logs look clean now.

    Clear all the files quarantined in the quarantined folder for AVG Antispyware.

    Turn off system restore (XP/ME only). Learn how to do that HERE.

    This will remove all the remaining nasties from your old restore points.
    After that turn system restore back on.
    This would have created a new safe and clean restore point for your system.

    I am not very sure if the keyboard problem is malware related. Do you experience any other sort of problems other than that? If not, it could be hardware related.
    However, just to be sure, do post a combofix log from normal mode. (Sorry I forgot to ask you to post that earlier.)


    Regards,
    Your friendly Momok =)
     
  22. hafizhah

    hafizhah TS Rookie Topic Starter

    this is the combofix log.

    could the keyboard problem arise by accidental-ly deleting a registry?
     
  23. momok

    momok TS Rookie Posts: 2,265

    Hi,

    His ComboFix log look rather clean too.
    Did he do any registry editing before that? The only registry files I requested to edit were the sxs2.exe and ie.exe which are a worm and trojan. Is he using a normal keyboard? It does not seem likely that it arised from a registry fix.
    Perhaps you could try switching off the system, then unplugging and replugging it back before turning it on again.

    If you face problems that seem fishy or malware related please describe them to me.


    Regards,
    Your friendly Momok =)
     
  24. hafizhah

    hafizhah TS Rookie Topic Starter

    alrytes..we unplugged and replugged but his keyboard is still not working.

    at times, his pc will keep rebooting for no apparent reason.
    and also, his mouse keeps lagging.
     
  25. momok

    momok TS Rookie Posts: 2,265

    Hi,

    I'm sorry, this appears to be out of the scope of my knowledge. I'll pm Howard, our resident mod here to see if he can help you.


    Regards,
    Your friendly Momok =)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...