Go Back   EQ2Flames Forum > Everything Else > Tech Support
Reload this Page virus issues (hijack this log)

Reply
 
LinkBack Thread Tools
Old 07-06-2008, 04:07 AM  
L337 Poster
 
Character: AEERON/ aeryox
Guild: VV
Server: Nagafen

Posts: 981
Photos: (1)

Default virus issues (hijack this log)
i recently had a big problem with a spools.exe trojan, would lock me out of stuff and tell me files had no file paths

i got rid of it from affecting my pc, although i believe it lies dorminant

if i control alt delete i find it in my system called spoolsvc.exe

avg free 8.0 does not find it anymore though...

i have a hijack this log here when my pc was completely working agian.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 331 AM, on 7/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\CCleaner\CCleaner.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {c5af49a2-94f3-42bd-f434-2604812c897d} - (no file)
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kddbf.exe] C:\WINDOWS\system32\kddbf.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4CD7CC8D-8134-4AA2-B173-681624D5A9D4}: NameServer = 85.255.116.62,85.255.112.166
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B5D7209-1943-48C2-9054-25CDF6EFF646}: NameServer = 85.255.116.62,85.255.112.166
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA7564F1-D5E6-4B01-B336-CDF3A99E7869}: NameServer = 85.255.116.62,85.255.112.166
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.62 85.255.112.166
O17 - HKLM\System\CS1\Services\Tcpip\..\{4CD7CC8D-8134-4AA2-B173-681624D5A9D4}: NameServer = 85.255.116.62,85.255.112.166
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.62 85.255.112.166
O17 - HKLM\System\CS2\Services\Tcpip\..\{4CD7CC8D-8134-4AA2-B173-681624D5A9D4}: NameServer = 85.255.116.62,85.255.112.166
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.62 85.255.112.166
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: hggwnfun - hgGWNFUn.dll (file missing)
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - (no file)
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (antivirscheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
__________________
aeeron is online now   Reply With Quote
Old 07-06-2008, 04:16 AM  
L337 Poster
 
Character: Avaelax
Guild: Naga Stole My Bike
Server: Everfrost

Posts: 3,672
Photos: (0)

Send a message via AIM to Avaela
Default Re: virus issues (hijack this log)
way2getavirus dumbass =\
__________________
"I felt a very calming influence and a sense of urgency to purchase a Bible on the Internet for overnight delivery." - LFG
"its a parade and everyone wants racist candy." - Snark
"I love 4 year old tits." - Widem
"Truth is treason in the empire of lies" - Ron Paul
Avaela is offline   Reply With Quote
Old 07-06-2008, 05:59 AM  
Don't even think about it
 
Petgroup's Avatar
 
Character: Petgroup
Server: Gorgonnash

Posts: 1,324
Photos: (0)

Default Re: virus issues (hijack this log)
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kddbf.exe] C:\WINDOWS\system32\kddbf.exe

I'd wipe out everything except AVG from that Hijack, the above file though looks sketchy and you should try to delete it. Try getting Smitfraudfix, running that in safe mode, selecting option 2, and then yes to clean reg.


And for all my fanbois, heres the link to the Free 60 days of the new Webroot AV.

http://www.webroot.com/beta/beta_download.php

Download that and I'm sure it will find whatever you are looking for rather than doing what I said above.
__________________

Originally Posted by RadarX
Go play another game and wake up. SOE's Community Team does more than ANY other company.
Flames now has 0 support from anyone. No TTH, no Zam (although I'm not sure how much there was), no SOE, no one.
Last edited by Petgroup; 07-06-2008 at 06:03 AM.
Petgroup is offline   Reply With Quote
Old 07-06-2008, 06:09 AM  
L337 Poster
 
Character: AEERON/ aeryox
Guild: VV
Server: Nagafen

Posts: 981
Photos: (1)

Default Re: virus issues (hijack this log)
i was unable to delete that file via hijack this and malwarebytes im going to try using webrootAV now thanks.
__________________
aeeron is online now   Reply With Quote
Old 07-06-2008, 11:52 AM  
Yo Soy La Pequeña Prohibida
 
kaif's Avatar
 
Character: Kaif
Guild: Clan Of Shadows
Server: Thorgrim

Posts: 1,855
Photos: (19)

Send a message via MSN to kaif
Default Re: virus issues (hijack this log)
Is Webroot > Avast?
__________________
kaif is offline   Reply With Quote
Old 07-07-2008, 07:37 AM  
mostly harmless
 
Tokamak's Avatar
 
Character: Tokamak
Guild: Quit
Server: EQ2 > soe

Posts: 385
Photos: (0)

Default Re: virus issues (hijack this log)
combofix ftw to be honest

kill these

O2 - BHO: (no name) - {C5AF49A2-94F3-42BD-F434-2604812C897D} - (no file)
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - (no file)

also I dont know what this is, Id kill it

O20 - Winlogon Notify: hggwnfun - hgGWNFUn.dll (file missing)

whats this bollocks?

O4 - HKLM\..\Run: [C:\WINDOWS\system32\kddbf.exe] C:\WINDOWS\system32\kddbf.exe

Also, post you HJT somewhere like spybot, majorgeeks or bleeping computer to get decent help.
__________________
Last edited by Tokamak; 07-07-2008 at 07:38 AM.
Tokamak is offline   Reply With Quote
Old 07-07-2008, 08:01 AM  
Operating Thetan Level IV
 
Morara's Avatar
 
Character: Morara
Guild: Guild of Guildiness +5
Server: Oobag

Posts: 5,371
Photos: (0)

Default Re: virus issues (hijack this log)
You got off easy. Just back up integral stuff and reformat, since it's not a real virus.

The time you spend dicking around with cleaning it up could be spent on the 2 hours it takes to get Windows up to completely usable from scratch.
__________________
Morara is offline   Reply With Quote
Old 07-07-2008, 01:36 PM  
Don't even think about it
 
Petgroup's Avatar
 
Character: Petgroup
Server: Gorgonnash

Posts: 1,324
Photos: (0)

Default Re: virus issues (hijack this log)
Quote:
Originally Posted by Tokamak View Post
combofix ftw to be honest

kill these

O2 - BHO: (no name) - {C5AF49A2-94F3-42BD-F434-2604812C897D} - (no file)
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - (no file)

also I dont know what this is, Id kill it

O20 - Winlogon Notify: hggwnfun - hgGWNFUn.dll (file missing)

whats this bollocks?

O4 - HKLM\..\Run: [C:\WINDOWS\system32\kddbf.exe] C:\WINDOWS\system32\kddbf.exe

Also, post you HJT somewhere like spybot, majorgeeks or bleeping computer to get decent help.
3 of the 4 files you posted are already removed from his computer, hence the (file missing). Only the last one is still there.
__________________

Originally Posted by RadarX
Go play another game and wake up. SOE's Community Team does more than ANY other company.
Flames now has 0 support from anyone. No TTH, no Zam (although I'm not sure how much there was), no SOE, no one.
Petgroup is offline   Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are On


Sponsor Ads


All times are GMT -4. The time now is 11:50 PM.

Contact Us - EQ2Flames Forum - Archive - Privacy Statement - Top

Design By: Miner Skinz.com Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Search Engine Friendly URLs by vBSEO 3.1.0