Members
  • Total Members: 12816
  • Latest: t114563
Stats
  • Total Posts: 28524
  • Total Topics: 8240
  • Online Today: 900
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)












Author Topic: Hakaglan worm  (Read 6104 times)

0 Members and 1 Guest are viewing this topic.

haiyo

  • SCF Newbie
  • *
  • Posts: 1
  • KARMA: 0
Hakaglan worm
« on: 28. February 2008., 10:59:41 »
I have the same problem as well, and I scan and follow the steps at safemode with network config.
here is my HJT, Kasper results.

KASPERSKY ONLINE SCANNER REPORT 
Thursday, February 28, 2008 6:57:43 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 28/02/2008
Kaspersky Anti-Virus database records: 585128
 
 
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
 
Scan Target Folders
C:\ 
 
Scan Statistics
Total number of scanned objects 56666
Number of viruses found 0
Number of infected objects 0
Number of suspicious objects 0
Duration of the scan process 00:41:22

Infected Object Name Virus Name Last Action
C:\Documents and Settings\Haiyo\Cookies\index.dat  Object is locked  skipped 
 
C:\Documents and Settings\Haiyo\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat  Object is locked  skipped 
 
C:\Documents and Settings\Haiyo\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG  Object is locked  skipped 
 
C:\Documents and Settings\Haiyo\Local Settings\History\History.IE5\index.dat  Object is locked  skipped 
 
C:\Documents and Settings\Haiyo\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat  Object is locked  skipped 
 
C:\Documents and Settings\Haiyo\Local Settings\Temporary Internet Files\Content.IE5\index.dat  Object is locked  skipped 
 
C:\Documents and Settings\Haiyo\NTUSER.DAT  Object is locked  skipped 
 
C:\Documents and Settings\Haiyo\ntuser.dat.LOG  Object is locked  skipped 
 
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat  Object is locked  skipped 
 
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG  Object is locked  skipped 
 
C:\Documents and Settings\LocalService\NTUSER.DAT  Object is locked  skipped 
 
C:\Documents and Settings\LocalService\ntuser.dat.LOG  Object is locked  skipped 
 
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat  Object is locked  skipped 
 
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG  Object is locked  skipped 
 
C:\Documents and Settings\NetworkService\NTUSER.DAT  Object is locked  skipped 
 
C:\Documents and Settings\NetworkService\ntuser.dat.LOG  Object is locked  skipped 
 
C:\System Volume Information\MountPointManagerRemoteDatabase  Object is locked  skipped 
 
C:\WINDOWS\CSC\00000001  Object is locked  skipped 
 
C:\WINDOWS\Debug\PASSWD.LOG  Object is locked  skipped 
 
C:\WINDOWS\system32\config\AppEvent.Evt  Object is locked  skipped 
 
C:\WINDOWS\system32\config\default  Object is locked  skipped 
 
C:\WINDOWS\system32\config\default.LOG  Object is locked  skipped 
 
C:\WINDOWS\system32\config\Internet.evt  Object is locked  skipped 
 
C:\WINDOWS\system32\config\SAM  Object is locked  skipped 
 
C:\WINDOWS\system32\config\SAM.LOG  Object is locked  skipped 
 
C:\WINDOWS\system32\config\SecEvent.Evt  Object is locked  skipped 
 
C:\WINDOWS\system32\config\SECURITY  Object is locked  skipped 
 
C:\WINDOWS\system32\config\SECURITY.LOG  Object is locked  skipped 
 
C:\WINDOWS\system32\config\software  Object is locked  skipped 
 
C:\WINDOWS\system32\config\software.LOG  Object is locked  skipped 
 
C:\WINDOWS\system32\config\SysEvent.Evt  Object is locked  skipped 
 
C:\WINDOWS\system32\config\system  Object is locked  skipped 
 
C:\WINDOWS\system32\config\system.LOG  Object is locked  skipped 
 
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR  Object is locked  skipped 
 
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP  Object is locked  skipped 
 
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER  Object is locked  skipped 
 
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP  Object is locked  skipped 
 
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP  Object is locked  skipped 
 
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA  Object is locked  skipped 
 
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP  Object is locked  skipped 
 
Scan process completed.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:58:01 PM, on 2/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\Haiyo\Desktop\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.isoshu.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe, explorer.exe
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - F:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: e404 helper - {8BD4438C-2511-4B93-AD34-2BDCD0FF78D2} - C:\Program Files\Helper\1203142580.dll (file missing)
O2 - BHO: (no name) - {C2A1C5CB-C0EF-4689-9436-F62CCA1C5383} - C:\Program Files\NetProject\sbmdl.dll (file missing)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitComet] "F:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\RVHOST.exe
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\NetProject\sbmntr.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &D&ownload &with BitComet - res://F:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://F:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://F:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - F:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.explorertool.net/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.explorertool.net/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/WebfettiInitialSetup1.0.0.15-3.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1184654587000
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O22 - SharedTaskScheduler: epistylar - {917f93bf-6714-4e11-8982-59db2e0f88fc} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Flash Communication Server (FlashCom) - Macromedia, Inc. - C:\Program Files\Macromedia\Flash Communication Server MX\FlashCom.exe
O23 - Service: Flash Communication Admin Service (FlashComAdmin) - Macromedia, Inc. - C:\Program Files\Macromedia\Flash Communication Server MX\FlashComAdmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7811 bytes

Samker's Computer Forum - SCforum.info

Hakaglan worm
« on: 28. February 2008., 10:59:41 »




Samker

  • SCF Administrator
  • *****
  • Posts: 7206
  • KARMA: 291
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Re: Hakaglan worm
« Reply #1 on: 28. February 2008., 12:05:56 »
Hi Haiyo and Welcome to SCF Board. :bih:

I was split you reply to one old topic and make new one (this one - yours).

We will check your logs in the next few hours and give you next instruction for cleaning.

Regards,

Samker

Samker

  • SCF Administrator
  • *****
  • Posts: 7206
  • KARMA: 291
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Re: Hakaglan worm
« Reply #2 on: 28. February 2008., 20:56:17 »
Hi again Haiyo,

for the start please run again HijackThis (HJT), close all opened browser windows, check and fix all this items, after that restart your PC:

Quote
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.isoshu.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: e404 helper - {8BD4438C-2511-4B93-AD34-2BDCD0FF78D2} - C:\Program Files\Helper\1203142580.dll (file missing)
O2 - BHO: (no name) - {C2A1C5CB-C0EF-4689-9436-F62CCA1C5383} - C:\Program Files\NetProject\sbmdl.dll (file missing)
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitComet] "F:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\RVHOST.exe
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\NetProject\sbmntr.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.explorertool.net/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.explorertool.net/redirect.php (file missing)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/WebfettiInitialSetup1.0.0.15-3.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O22 - SharedTaskScheduler: epistylar - {917f93bf-6714-4e11-8982-59db2e0f88fc} - (no file)
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE

Next step is to make another Online AntiVirus Scan but this time with McAfee and of course provide us results: http://scforum.info/index.php/topic,734.0.html

Finally, with that McAfee log provide us new HJT log.

Thats all for now, cya later.

Regards,

Samker

 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising