Members
Stats
  • Total Posts: 28530
  • Total Topics: 8241
  • Online Today: 890
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)












Author Topic: hit by Hakaglan.B worm  (Read 6405 times)

0 Members and 1 Guest are viewing this topic.

haneef90

  • SCF Newbie
  • *
  • Posts: 2
  • KARMA: 0
hit by Hakaglan.B worm
« on: 10. December 2007., 09:33:27 »
hello.

I've scan my pc using nod32.
the result showed that my pc have been infected by Win32/Hakaglan.B worm.
the action take by nod32 is cleaned by deleting-quarantined.
the worst thing is, i can't open my task manager.

can u help me?

Samker's Computer Forum - SCforum.info

hit by Hakaglan.B worm
« on: 10. December 2007., 09:33:27 »




Samker

  • SCF Administrator
  • *****
  • Posts: 7206
  • KARMA: 291
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Re: hit by Hakaglan.B worm
« Reply #1 on: 10. December 2007., 10:19:12 »
Quote
can u help me?

Of course!  :police:


Haneef,

please follow my instruction, so we can do that in a short time:

1. Please provide us all possible details related to yours problems / infection.

2. Run Kaspersky Online AntiVirus Scan: http://scforum.info/index.php/topic,734.0.html

3. Download & run HijackThis: http://scforum.info/index.php/topic,785.0.html

4. Provide us logs from HijackThis & Kaspersky Online Scan


We will wait your reply (with logs).

Regards,

Samker

haneef90

  • SCF Newbie
  • *
  • Posts: 2
  • KARMA: 0
Re: hit by Hakaglan.B worm
« Reply #2 on: 10. December 2007., 11:40:24 »
Kaspersky Online Scan Log:

Monday, December 10, 2007 7:19:31 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 10/12/2007
Kaspersky Anti-Virus database records: 478202
 
 
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
 
Scan Target My Computer
C:\
D:\
E:\ 
 
Scan Statistics
Total number of scanned objects 62230
Number of viruses found 2
Number of infected objects 3

Number of suspicious objects 0
Duration of the scan process 00:54:23

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log  Object is locked  skipped 
 
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Charon\CACHE.NDB  Object is locked  skipped 
 
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs\virlog.dat  Object is locked  skipped 
 
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs\warnlog.dat  Object is locked  skipped 
 
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log  Object is locked  skipped 
 
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck  Object is locked  skipped 
 
C:\Documents and Settings\All Users\Application Data\Nero\Nero8\Nero BackItUp\Cache\NeroBackItUpScheduler3.log  Object is locked  skipped 
 
C:\Documents and Settings\LocalService\Cookies\index.dat  Object is locked  skipped 
 
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat  Object is locked  skipped 
 
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG  Object is locked  skipped 
 
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat  Object is locked  skipped 
 
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat  Object is locked  skipped 
 
C:\Documents and Settings\LocalService\NTUSER.DAT  Object is locked  skipped 
 
C:\Documents and Settings\LocalService\ntuser.dat.LOG  Object is locked  skipped 
 
C:\Documents and Settings\Mister N\Application Data\Mozilla\Firefox\Profiles\nhbxfzk4.default\cert8.db  Object is locked  skipped 
 
C:\Documents and Settings\Mister N\Application Data\Mozilla\Firefox\Profiles\nhbxfzk4.default\history.dat  Object is locked  skipped 
 
C:\Documents and Settings\Mister N\Application Data\Mozilla\Firefox\Profiles\nhbxfzk4.default\key3.db  Object is locked  skipped 
 
C:\Documents and Settings\Mister N\Application Data\Mozilla\Firefox\Profiles\nhbxfzk4.default\parent.lock  Object is locked  skipped 
 
C:\Documents and Settings\Mister N\Application Data\Mozilla\Firefox\Profiles\nhbxfzk4.default\search.sqlite  Object is locked  skipped 
 
C:\Documents and Settings\Mister N\Application Data\Mozilla\Firefox\Profiles\nhbxfzk4.default\urlclassifier2.sqlite  Object is locked  skipped 
 
C:\Documents and Settings\Mister N\Cookies\index.dat  Object is locked  skipped 
 
C:\Documents and Settings\Mister N\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat  Object is locked  skipped 
 
C:\Documents and Settings\Mister N\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG  Object is locked  skipped 
 
C:\Documents and Settings\Mister N\Local Settings\Application Data\Mozilla\Firefox\Profiles\nhbxfzk4.default\Cache\_CACHE_001_  Object is locked  skipped 
 
C:\Documents and Settings\Mister N\Local Settings\Application Data\Mozilla\Firefox\Profiles\nhbxfzk4.default\Cache\_CACHE_002_  Object is locked  skipped 
 
C:\Documents and Settings\Mister N\Local Settings\Application Data\Mozilla\Firefox\Profiles\nhbxfzk4.default\Cache\_CACHE_003_  Object is locked  skipped 
 
C:\Documents and Settings\Mister N\Local Settings\Application Data\Mozilla\Firefox\Profiles\nhbxfzk4.default\Cache\_CACHE_MAP_  Object is locked  skipped 
 
C:\Documents and Settings\Mister N\Local Settings\History\History.IE5\index.dat  Object is locked  skipped 
 
C:\Documents and Settings\Mister N\Local Settings\Temp\139.tmp  Object is locked  skipped 
 
C:\Documents and Settings\Mister N\Local Settings\Temp\NERO13904\Toolbar.exe  Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm  skipped 
 
C:\Documents and Settings\Mister N\Local Settings\Temp\~DF9560.tmp  Object is locked  skipped 
 
C:\Documents and Settings\Mister N\Local Settings\Temporary Internet Files\Content.IE5\index.dat  Object is locked  skipped 
 
C:\Documents and Settings\Mister N\NTUSER.DAT  Object is locked  skipped 
 
C:\Documents and Settings\Mister N\ntuser.dat.LOG  Object is locked  skipped 
 
C:\Documents and Settings\NetworkService\Cookies\index.dat  Object is locked  skipped 
 
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat  Object is locked  skipped 
 
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG  Object is locked  skipped 
 
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat  Object is locked  skipped 
 
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat  Object is locked  skipped 
 
C:\Documents and Settings\NetworkService\NTUSER.DAT  Object is locked  skipped 
 
C:\Documents and Settings\NetworkService\ntuser.dat.LOG  Object is locked  skipped 
 
C:\Program Files\AskTBar\bar\1.bin\A5POPSWT.DLL  Infected: not-a-virus:AdTool.Win32.MyWebSearch.az  skipped 
 
C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL  Infected: not-a-virus:AdTool.Win32.MyWebSearch.az  skipped 
 
C:\Program Files\Nero\Nero8\Nero BackItUp\BIU1.txt  Object is locked  skipped 
 
C:\System Volume Information\MountPointManagerRemoteDatabase  Object is locked  skipped 
 
C:\WINDOWS\Debug\PASSWD.LOG  Object is locked  skipped 
 
C:\WINDOWS\SchedLgU.Txt  Object is locked  skipped 
 
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log  Object is locked  skipped 
 
C:\WINDOWS\Sti_Trace.log  Object is locked  skipped 
 
C:\WINDOWS\system32\CatRoot2\edb.log  Object is locked  skipped 
 
C:\WINDOWS\system32\CatRoot2\tmp.edb  Object is locked  skipped 
 
C:\WINDOWS\system32\config\AppEvent.Evt  Object is locked  skipped 
 
C:\WINDOWS\system32\config\default  Object is locked  skipped 
 
C:\WINDOWS\system32\config\default.LOG  Object is locked  skipped 
 
C:\WINDOWS\system32\config\SAM  Object is locked  skipped 
 
C:\WINDOWS\system32\config\SAM.LOG  Object is locked  skipped 
 
C:\WINDOWS\system32\config\SecEvent.Evt  Object is locked  skipped 
 
C:\WINDOWS\system32\config\SECURITY  Object is locked  skipped 
 
C:\WINDOWS\system32\config\SECURITY.LOG  Object is locked  skipped 
 
C:\WINDOWS\system32\config\software  Object is locked  skipped 
 
C:\WINDOWS\system32\config\software.LOG  Object is locked  skipped 
 
C:\WINDOWS\system32\config\SysEvent.Evt  Object is locked  skipped 
 
C:\WINDOWS\system32\config\system  Object is locked  skipped 
 
C:\WINDOWS\system32\config\system.LOG  Object is locked  skipped 
 
C:\WINDOWS\system32\h323log.txt  Object is locked  skipped 
 
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log  Object is locked  skipped 
 
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR  Object is locked  skipped 
 
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP  Object is locked  skipped 
 
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER  Object is locked  skipped 
 
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP  Object is locked  skipped 
 
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP  Object is locked  skipped 
 
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA  Object is locked  skipped 
 
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP  Object is locked  skipped 
 
C:\WINDOWS\wiadebug.log  Object is locked  skipped 
 
C:\WINDOWS\wiaservc.log  Object is locked  skipped 
 
C:\WINDOWS\WindowsUpdate.log  Object is locked  skipped 
 
D:\System Volume Information\MountPointManagerRemoteDatabase  Object is locked  skipped 
 
Scan process completed.
-------------------------------------------------------------------------------------------------------

HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 7:21:27 PM, on 12/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\DOCUME~1\MISTER~1\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Alienware Dock.lnk = C:\Program Files\AlienwareDock\ObjectDock.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{41D50476-7313-4445-97B3-2FB1CC9CD5C7}: NameServer = 85.255.115.43,85.255.112.142
O17 - HKLM\System\CCS\Services\Tcpip\..\{4CB7973F-5BCF-4755-9351-3D42FF82268B}: NameServer = 85.255.115.43,85.255.112.142
O17 - HKLM\System\CCS\Services\Tcpip\..\{5324AA0D-A223-483C-ADC6-C99B89B2F58C}: NameServer = 85.255.115.43,85.255.112.142
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A4BB7A7-0D95-4B3A-88F9-7CD8A087AE08}: NameServer = 85.255.115.43,85.255.112.142
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.142
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.142
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.142
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\WINDOWS\system32\DRIVERS\xaudio.exe

Samker

  • SCF Administrator
  • *****
  • Posts: 7206
  • KARMA: 291
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Re: hit by Hakaglan.B worm
« Reply #3 on: 10. December 2007., 12:03:53 »

Haneef,

that's all for now.

We will analyze your logs in the next few hours and after that provide you cleaning instructions.

cya later,  ;)

S.

Samker

  • SCF Administrator
  • *****
  • Posts: 7206
  • KARMA: 291
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Re: hit by Hakaglan.B worm
« Reply #4 on: 10. December 2007., 22:54:32 »
Hi again Haneef,

first: it's look like you have two AntiVirus now at your PC (or this is maybe AVG AntiSpyware)?

If I got right, you will need to uninstall one of them. That's is very bad for your PC because you lose to much of your resource (CPU & RAM). If you want my advice, uninstall AVG.

second: We need to clean this in few "steps" and this is first one, please follow my instruction exactly as I "said" and if you don't understand something please ask for additional explanation:

1. Turn of System Restore (this is most important).

Quote
Steps to turn off System Restore
1. Click Start, right-click My Computer, and then click Properties.
2. In the System Properties dialog box, click the System Restore tab.
3. Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.
4. Click OK.
5. When you receive the following message, click Yes to confirm that you want to turn off System Restore:
You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer.

Do you want to turn off System Restore?
After a few moments, the System Properties dialog box closes.

2. Update your NOD32 AntiVirus.

3. Restart your PC and run again in Safe Mode. Instruction:

Quote
To start the computer in safe mode
1.
You should print these instructions before continuing. They will not be available after you shut your computer down in step 2.

2.
Click Start and then click Shut Down.

3.
In the drop-down list of the Shut Down Windows dialog box, click Restart, and then click OK.

4.
As your computer restarts but before Windows launches, press F8. 
On a computer that is configured for booting to multiple operating systems, you can press F8 when the boot menu appears.

5.
Use the arrow keys to highlight the appropriate safe mode option, and then press ENTER.

6.
If you have a dual-boot or multiple-boot system, choose the installation that you need to access using the arrow keys, and then press ENTER.


Note•
If Windows launches before you can choose a safe mode, restart your computer and try again.

In safe mode, you have access to only basic files and drivers (mouse, monitor, keyboard, mass storage, base video, default system services, and no network connections). You can choose the Safe Mode with Networking option, which loads all of the above files and drivers and the essential services and drivers to start networking, or you can choose the Safe Mode with Command Prompt option, which is exactly the same as safe mode except that a command prompt is started instead of the graphical user interface. You can also choose Last Known Good Configuration, which starts your computer using the registry information that was saved at the last shutdown.

Safe mode helps you diagnose problems. If a symptom does not reappear when you start in safe mode, you can eliminate the default settings and minimum device drivers as possible causes. If a newly added device or a changed driver is causing problems, you can use safe mode to remove the device or reverse the change.

There are circumstances where safe mode will not be able to help you, such as when Windows system files that are required to start the system are corrupted or damaged. In this case, the Recovery Console may help you.

NUM LOCK must be off before the arrow keys on the numeric keypad will function.

4. Run again Full Scan - NOD32 AV

5. After that McAfee Online Scan

6. After that HijackThis (it's important to before running HJT turn of all possible programs)

7. Provide us log from both (McAfee and HJT) and information what NOD32 "said" after scaning (did he find or miss something?).


I'll be waiting your next reply. 


Regards,

Samker

 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising