TechSpot

Hijackthis Log Analysis

By chadbrochill
Nov 23, 2009
  1. Hi, I have recently been having troubles with online accounts being hacked, and having passwords constantly changed. I think I may have a keylogger but have not been able to find any malware with multiple malware finding programs. If anyone would be able to look at the log attached and let me know if there are any problems that would be great! Thanks!
     
  2. AnonymousSurfer

    AnonymousSurfer TS Guru Posts: 451   +37

    Hi chadbrochill,

    You are correct that you have malware on your computer, here they are broken down into groups. Check each to be deleted after the preformed scan.

    EXTREMELY NASTY:
    O4 - HKLM\..\Run: [calc] rundll32.exe C:\WINDOWS\system32\calc.dll,_IWMPEvents@0

    Other Malicious software:
    O4 - HKCU\..\Run: [calc] rundll32.exe C:\DOCUME~1\Angel\ntuser.dll,_IWMPEvents@0
    O4 - HKUS\S-1-5-18\..\Run: [calc] rundll32.exe C:\WINDOWS\system32\config\SYSTEM~1\ntuser.dll,_IWMPEvents@0 (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [ttool] C:\WINDOWS\9129837.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [calc] rundll32.exe C:\WINDOWS\system32\config\SYSTEM~1\ntuser.dll,_IWMPEvents@0 (User 'Default user')
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

    Now this does not mean that the possible keylogger was detected. This just shows the malware on your computer that could be the keylogger.
     
  3. chadbrochill

    chadbrochill TS Rookie Topic Starter

    Hey, thanks for the reply, but I'm not able to see any of the malware you listed within my log, is there something I am missing?
     
  4. AnonymousSurfer

    AnonymousSurfer TS Guru Posts: 451   +37

    Re-scan your system using Hijackthis and when those couple come up, check them off to delete them.
     
  5. chadbrochill

    chadbrochill TS Rookie Topic Starter

    When I run Hijackthis i am not able to see any of the groups you listed.
     
  6. AnonymousSurfer

    AnonymousSurfer TS Guru Posts: 451   +37

    After you have preformed a scan and it comes up with the malware, these do not exist? NOTE: They are not exactly in order like that.
     
  7. chadbrochill

    chadbrochill TS Rookie Topic Starter

    When i perform the scan I don't see any of those, I've reattached the log in case there was some sort of error previously.
     
  8. AnonymousSurfer

    AnonymousSurfer TS Guru Posts: 451   +37

    You computer no longer has the viruses I listed before but have 3 possible viruses:

    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: (no name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)

    These files could be malware but are classified as:

    These can probably be left but it is up to you whether you want to delete them. Otherwise, the major viruses are gone. :D
     
  9. chadbrochill

    chadbrochill TS Rookie Topic Starter

    Ah k, I was able to find those three listed and delete them. Thanks for the help, it's appreciated!
     
  10. AnonymousSurfer

    AnonymousSurfer TS Guru Posts: 451   +37

    Most certainly welcome.
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    AnonymousSurfer
    Please read: http://www.techspot.com/vb/topic120350.html

    chadbrochill, you have not gotten proper cleaning help.

    Please visit the steps here: http://www.techspot.com/vb/topic58138.html

    When you have finished, attach the logs from Malwarebytes and Superantispyware.

    Rescan with HijackThis and paste the log into your next reply. This member does not recognize a virus and HijackThis does not screen for viruses.

    I will review your logs when they are posted.
     
  12. chadbrochill

    chadbrochill TS Rookie Topic Starter

    I have run and attached the 3 logs you were needing. Here they are.
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Thank you.

    P2P or 'file sharing Warning
    I see that you are using:
    Ares.
    Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall Ares for the following reasons:
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.

    Please reopen HijackThis to 'do system scan only.' Check each of the following if present: (Optionals are in green)

    C:\Documents and Settings\Matt\Desktop\Ares.exe> Optional P2P
    R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

    R3 - URLSearchHook: (no name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
    O4 - HKCU\..\Run: [ares] "C:\Documents and Settings\Matt\Desktop\Ares.exe" -h> Optional P2P


    For the following: is this for 'Internet Download Accelerator'? If No, remove.Was download from Ares or a torrent site? If Yes, check for removal:

    C:\Program Files\Ida\Ida.exe
    O4 - HKCU\..\Run: [Ida] "C:\Program Files\Ida\IdaLaunch.exe" -tray

    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)>
    (left over link scanner from AVG

    Close all Windows except for HJT. Click on "Fix Checked".

    If you decided to remove Ares and/or Ida:

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Control Panel> Add/Remove Programs> Uninstall the following:
    Ares (Optional)
    Ida

    Access Windows Explorer: Right click on Start> Explore> My Computer> Local Drive (C)> Programs> right click> delete the following folders:
    Ares- Optional
    Ida


    Close Windows Explorer.
    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
    • Run Combo-Fix.exe and follow the prompts.
      (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
    • Wait for the scan to be completed.
    • If it requires a reboot, please do it.
    • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Run Eset NOD32 Online AntiVirus Scanner HERE

    Note: You will need to use Internet Explorer for this scan.
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Attach report for Combofix and Eset scan log in your next reply.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...