Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Help Please, Hijack This Log [RESOLVED]


  • This topic is locked This topic is locked

#121
andyy

andyy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 77 posts
I've completed step 1 and step 2.
However, when I go into Control Panel>Network Connections while in safe mode, there is nothing there, no icons at all. When I reboot to normal mode the icons are there, but when I reboot back into safe mode, they are still not there.

Should I complete step 3 in normal mode? If so, should I then go back into Safe Mode for step 4?

Thanks,
-Andy
  • 0

Advertisements


#122
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts

Should I complete step 3 in normal mode?




Yes
  • 0

#123
andyy

andyy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 77 posts
OK here we go...

This HJT log was just created after getting online to send this post. As you can see an 017 came back. In step 4 of your instructions I found no 017 to fix. I looked in safe and normal mode. I'm feeling hopeful, let me know what all this means!?!?!

Here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 9:40:34 PM, on 7/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Andy's Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm
O9 - Extra button: (no name) - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll
O9 - Extra button: (no name) - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Offline - {FC09D8A3-C85A-11d2-92D0-0000F87A4A55} - C:\WINDOWS\System32\oline.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} (Ikonic Menu Control) - http://activex.micro...eb/ikcntrls.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{94DA7127-4609-4910-A5C0-09F2371F7E95}: NameServer = 206.141.192.60 206.141.193.55
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

here's the Ewido scan log. It cleaned 34 infected objects, some of which were ones that Norton was unable to get rid of.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:26:19 PM, 7/25/2005
+ Report-Checksum: E0094DAD

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{36A59337-6EEF-40AE-94B1-ED443A0C4740} -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{EE6AE627-8F18-4986-BEAD-52073EDFC776} -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\XParam.XParamObj -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\XParam.XParamObj\CLSID -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\XParam.XParamObj\CurVer -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/istactivex.dll -> Spyware.ISTBar : Cleaned with backup
HKU\S-1-5-21-2000478354-507921405-1060284298-1004\Software\WareOut -> TrojanDownloader.Wareout : Cleaned with backup
HKU\S-1-5-21-2000478354-507921405-1060284298-1004\Software\WareOut\Options -> TrojanDownloader.Wareout : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.ocx -> Spyware.MediaTickets : Cleaned with backup
C:\eied_s7.cab/eied_s7_c_29.exe -> TrojanDownloader.Mediket.ae : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP116\A0026343.dll -> TrojanDownloader.Agent.pi : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP116\A0026344.dll -> TrojanDownloader.Small.bdh : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0027878.dll -> TrojanDownloader.Agent.pi : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0027879.dll -> TrojanDownloader.Small.bdh : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0027881.dll -> TrojanSpy.Agent.am : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0027882.dll -> TrojanDownloader.Small.bdh : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0028555.exe -> TrojanDropper.Vidro.p : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0028556.dll -> TrojanDownloader.Agent.pi : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0028557.dll -> TrojanDownloader.Small.bdh : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0028558.dll -> Spyware.Zbar : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0028559.dll -> TrojanSpy.Agent.am : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0028560.dll -> Spyware.SBSoft : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0028572.dll -> TrojanDownloader.Agent.pi : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0028573.dll -> TrojanDownloader.Agent.pi : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0028574.dll -> TrojanDownloader.Agent.pi : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0028575.dll -> TrojanDownloader.Agent.pi : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0028576.dll -> TrojanDownloader.Small.bdh : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0028577.dll -> TrojanDownloader.IstBar : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0028578.dll -> Spyware.SBSoft : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0028579.dll -> Spyware.Banex : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0028582.exe -> TrojanDownloader.IstBar.gi : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP120\A0028637.dll -> Spyware.Zbar : Cleaned with backup
C:\Andy's Files\backups\backup-20050706-092156-829.dll -> Spyware.180Solutions : Cleaned with backup
C:\Andy's Files\backups\backup-20050711-114008-280.dll -> Spyware.WinAD : Cleaned with backup


::Report End


Here's the log.txt from remv3:

The batch is run from -- C:\Andy's Files\remv3 folder

Files Found.................
----------------------------------------

Files Not deleted.................
----------------------------------------

Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------


Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting
-----------------------------------------------------------------
Volume in drive C has no label.
Volume Serial Number is 386A-10DA

Directory of C:\WINDOWS\SYSTEM32

msi.dll
Finished
  • 0

#124
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Anddy,

Who do you have for an ISP... Please tell me sbcglobal.net.


Thanks,


Tom
  • 0

#125
andyy

andyy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 77 posts
Yes, sbcglobal.net. Why?
  • 0

#126
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Well my friend, that O17 is legit ;) its from sbcglobal.net.

But lets see how it goes, give it a day. otherwise we will go crazy...if it comes back ;)

:tazz:

Excal
  • 0

#127
andyy

andyy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 77 posts
I will try my friend's blog site to see if I still get pop-ups. I'm going to wait til tomorrow though. I might as well go to sleep on a good note!!
-Andy
  • 0

#128
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
LMAO!! Ok, see u tommorrow.

:tazz:

Tom
  • 0

#129
andyy

andyy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 77 posts
I just did a Norton virus scan (Ewido keeps freezing up on me) and it found this trojan:

ied s7 c 7.exe

Norton says it can't remove the file.
I did a windows search which found 2 cab's with this name.
Should I delete these myself?

-Andy
  • 0

#130
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Andyy,

I am not sure what that is, but I doesn't look legit. Looks like its some sort of ringtone download or something? I would delete it.



TOm
  • 0

Advertisements


#131
andyy

andyy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 77 posts
Oh my frickafrackafrookin god,

The computer just passed the acid test. I went to my friend's blog with no hijacks or pop-ups.

I think it was the most recent Ewido scan you had me do in Safe Mode that found the culprit. And I think it was called either Media ticket or better internet, or something. Those were two infections that Norton couldn't fix that Ewido did.

Anyway, everything looks good at this point.

Mucho thanks Tom,
-Andy
  • 0

#132
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Anddy,

Well I chose not to get excited yet....lol.
Give it a few more days and then we will see :tazz:

Did you add xtra protection? I gave u a list a while back, but I will post it again so you don't have to look for it...lol


Now that your system is Malware Free, it is important to reset your system Restore. Click Here to learn how to.

Might I suggest the following Free Spyware programs, if you don't already have them, for added security, you can download them at the following links. These programs work great for detection:

Ad-aware SE
Spybot S&D
Microsoft Anti-Spyware


If you are unhappy with your current antivirus and want to replace it or if you dont already have one, I suggest one of these free programs:
*Note - do not use more than one anti-virus program as it will more than likely cause conflict.

AVG
Avast
AntiVir


The following free programs are great for prevention:

SpywareBlaster 3.4
Spywareguard
IE/Spyad

A Firewall is a must! Here are 3 good free versions:
(do not have more than one firewall running on your system)

Sygate
Kerio
ZoneLabs

There are other options other than Internet Explorer for a browser, which some say have better security. Two of them are:

Firefox
Opera

If you decide to keep Internet Explorer, This site is a great source for tightening up security on It's settings.

Make sure that you keep your Operating System and IE updated with the latest Critical Security Updates from Microsoft...they usually come out once a month, on the 2nd Tuesday of each month.

Be sure and give the Temp folders a cleaning out now and then as well, Make sure after you clean your Temp files to empty out your Recycle bin as well.
For ease use the following program:

Cleanup
Run "Cleanup" and when it has finished, Reboot

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided. Also read How I got Infected
  • 0

#133
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Andyy,


Been a few days, everything still ok?


Thanks,

:tazz:

Tom
  • 0

#134
andyy

andyy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 77 posts
Hey, Thanks for checking in. Everything's still looking great. No Pop-ups. I ran another Norton scan yesterday and no thrats found. Except the lopremover that we pt on the computer. I've made all changes you recommended to increase security. The only thing I might still do is switch from Norton to something else for antivirus. Norton seems to be slowing down the computer.

Thanks,
-Andy
  • 0

#135
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
I use AVG free addition and Sygate free firewall and they work great together.

You can delete that lopremover from your computer, and anything else that we downloaded that you don't want.


Tom
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP