do u want me to run HIJACKTHIS again and delete the ones that u listed from there.. or do u want me to look for them in the C:/ drive??
HIJACKTHIS
Started by
VirusGirl123
, Nov 27 2004 02:26 PM
#31
Posted 29 November 2004 - 08:01 PM
do u want me to run HIJACKTHIS again and delete the ones that u listed from there.. or do u want me to look for them in the C:/ drive??
#32
Posted 30 November 2004 - 04:06 PM
Please tell me......
#33
Posted 30 November 2004 - 06:15 PM
C: drive, then browse to the appropiate file/folder and remove it.
#34
Posted 30 November 2004 - 07:28 PM
ALRIGHTY!
#35
Posted 30 November 2004 - 07:55 PM
newest HIJACKTHIS log.. my computer is STILL infected.
Logfile of HijackThis v1.98.2
Scan saved at 8:51:17 PM, on 11/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner.YOUR-US67PI6LUV\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
C:\Program Files\hp center\137903\Program\InsertInfoPaks.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Search Relevancy - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~1.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoloSchedule] C:\PROGRA~1\SRNMIC~1\SOLOCFG.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Sygate Personal Firewall Start] servic.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKLM\..\RunServices: [Sygate Personal Firewall Start] servic.exe
O4 - HKLM\..\RunServices: [MSN Updater] msnms.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Event Reminder.lnk = ?
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1101669656545
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
Logfile of HijackThis v1.98.2
Scan saved at 8:51:17 PM, on 11/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner.YOUR-US67PI6LUV\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
C:\Program Files\hp center\137903\Program\InsertInfoPaks.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Search Relevancy - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~1.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoloSchedule] C:\PROGRA~1\SRNMIC~1\SOLOCFG.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Sygate Personal Firewall Start] servic.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKLM\..\RunServices: [Sygate Personal Firewall Start] servic.exe
O4 - HKLM\..\RunServices: [MSN Updater] msnms.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Event Reminder.lnk = ?
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1101669656545
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
#36
Posted 30 November 2004 - 08:22 PM
is spykiller a virus? i think that may b wat is rebooting my computer?
#37
Posted 30 November 2004 - 08:47 PM
You may wish to print out a copy of these instructions to follow while you complete this procedure. Please move Hijack This to a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.
Well, spywarekiller isn't helping anything. See the "Rip-off Removal Software" link in my signature. Here's the the two trojans we're going to take down (along with some spyware):
O4 - HKLM\..\Run: [Sygate Personal Firewall Start] servic.exe <- http://www.sygate.co...041015-0001.htm. Note that the SdBot.WW worm is in no way affiliated with Sygate Technologies. SdBot.WW does not affect the performance of Sygate products. Sygate Personal Firewall’s executable is not named Sygate32.exe.
AND
O4 - HKLM\..\RunServices: [MSN Updater] msnms.exe <- http://www.sophos.co...32forbotcg.html
Please reboot into safe mode - How do I boot into "Safe" mode?.
Be sure you're able to view hidden files, and remove the following files:
C:\Windows\System32\servic.exe
C:\Windows\System32\msnms.exe
C:\Program Files\WildTangent\
C:\WINDOWS\System32\msbe.dll
C:\Program Files\Windows TaskAd\
This next one is up to you. It gives you updates from HP, but also displays advertisements. Delete these of you don't want this:
C:\Program Files\hp center\137903\
Next, please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Search Relevancy - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~1.DLL (file missing)
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O4 - HKLM\..\Run: [Sygate Personal Firewall Start] servic.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKLM\..\RunServices: [Sygate Personal Firewall Start] servic.exe
O4 - HKLM\..\RunServices: [MSN Updater] msnms.exe
O4 - Global Startup: Event Reminder.lnk = ?
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe (if removed)
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe (if removed)
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
If you don't use AOL Instant Messenger, fix these too:
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
Fix if you don't use MSN Messenger:
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
Reboot your PC.
If you would please, rescan with HijackThis and post a fresh log, and let us know how your system's working.
Well, spywarekiller isn't helping anything. See the "Rip-off Removal Software" link in my signature. Here's the the two trojans we're going to take down (along with some spyware):
O4 - HKLM\..\Run: [Sygate Personal Firewall Start] servic.exe <- http://www.sygate.co...041015-0001.htm. Note that the SdBot.WW worm is in no way affiliated with Sygate Technologies. SdBot.WW does not affect the performance of Sygate products. Sygate Personal Firewall’s executable is not named Sygate32.exe.
AND
O4 - HKLM\..\RunServices: [MSN Updater] msnms.exe <- http://www.sophos.co...32forbotcg.html
Please reboot into safe mode - How do I boot into "Safe" mode?.
Be sure you're able to view hidden files, and remove the following files:
C:\Windows\System32\servic.exe
C:\Windows\System32\msnms.exe
C:\Program Files\WildTangent\
C:\WINDOWS\System32\msbe.dll
C:\Program Files\Windows TaskAd\
This next one is up to you. It gives you updates from HP, but also displays advertisements. Delete these of you don't want this:
C:\Program Files\hp center\137903\
Next, please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Search Relevancy - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~1.DLL (file missing)
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O4 - HKLM\..\Run: [Sygate Personal Firewall Start] servic.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKLM\..\RunServices: [Sygate Personal Firewall Start] servic.exe
O4 - HKLM\..\RunServices: [MSN Updater] msnms.exe
O4 - Global Startup: Event Reminder.lnk = ?
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe (if removed)
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe (if removed)
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
If you don't use AOL Instant Messenger, fix these too:
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
Fix if you don't use MSN Messenger:
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
Reboot your PC.
If you would please, rescan with HijackThis and post a fresh log, and let us know how your system's working.
#38
Posted 30 November 2004 - 08:59 PM
thank you soooo much! the only problem is that my phone line is cut off at the moment and i am using my moms computer.. i cant get on the internet.. is there n e way i can use your insructions from my moms computer?
#39
Posted 30 November 2004 - 09:00 PM
i can get on my computer but since the phone line is cut off i cant get on the internet... so can i download these things on a disk then onto my computer or somthing?
#40
Posted 30 November 2004 - 09:07 PM
Ok, then go ahead and print out the instructions. The only program you will need is hijackthis. You can go ahead and put it on a floppy, cd, or thumbdrive then load it on the infected pc.
#41
Posted 30 November 2004 - 09:15 PM
ok cool... i have 2 more questions about the instructions.. would u recommend deleting "This next one is up to you. It gives you updates from HP, but also displays advertisements. Delete these of you don't want this"?C:\Program Files\hp center\137903\
and i do use aim alot so would it mess it up if i delted those things?
and i do use aim alot so would it mess it up if i delted those things?
#42
Posted 30 November 2004 - 09:16 PM
If you use AIM, then keep the AIM entires. If you don't care to be bothered by HP on your PC, then delete the suggested folder. You're system will run as before minus the HP nags.
#43
Posted 30 November 2004 - 09:19 PM
on this part wat do i do? O4 - HKLM\..\Run: [Sygate Personal Firewall Start] servic.exe <- http://www.sygate.co...041015-0001.htm. Note that the SdBot.WW worm is in no way affiliated with Sygate Technologies. SdBot.WW does not affect the performance of Sygate products. Sygate Personal Firewall’s executable is not named Sygate32.exe.
#44
Posted 30 November 2004 - 09:22 PM
Sorry for the confusion. I was just pointing out that entry.
#45
Posted 30 November 2004 - 09:24 PM
no problem. . these r the solutions it listed on the site.. do u want me to do them.. Solutions:
Look for and delete files:
[Windows System directory]\sygate32.exe (88576 bytes)
[Weakly-Protected Network Share]\bling.exe (90112 bytes)
[Windows System directory]\servic.exe (80583 bytes)
Also remove the windows registry keys listed above along with any other entries for sygate32, servic, or bling.
Look for unexpected network traffic.
Restore corrupted or damaged files with clean backup copies.
Restore script.ini and other files potentially overwritten by the worm.
Validate the functionality of all anti-virus and security-related software
Look for and delete files:
[Windows System directory]\sygate32.exe (88576 bytes)
[Weakly-Protected Network Share]\bling.exe (90112 bytes)
[Windows System directory]\servic.exe (80583 bytes)
Also remove the windows registry keys listed above along with any other entries for sygate32, servic, or bling.
Look for unexpected network traffic.
Restore corrupted or damaged files with clean backup copies.
Restore script.ini and other files potentially overwritten by the worm.
Validate the functionality of all anti-virus and security-related software
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users