Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

HIJACKTHIS


  • Please log in to reply

#31
VirusGirl123

VirusGirl123

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 150 posts
WHEN U SAY : "Be sure you're able to view hidden files, and remove the following files in bold (if found)"
do u want me to run HIJACKTHIS again and delete the ones that u listed from there.. or do u want me to look for them in the C:/ drive??
  • 0

Advertisements


#32
VirusGirl123

VirusGirl123

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 150 posts
Please tell me......
  • 0

#33
Smokey

Smokey

    Member 1K

  • Retired Staff
  • 1,423 posts
C: drive, then browse to the appropiate file/folder and remove it.
  • 0

#34
VirusGirl123

VirusGirl123

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 150 posts
ALRIGHTY! <_<
  • 0

#35
VirusGirl123

VirusGirl123

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 150 posts
newest HIJACKTHIS log.. my computer is STILL infected. <_<

Logfile of HijackThis v1.98.2
Scan saved at 8:51:17 PM, on 11/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner.YOUR-US67PI6LUV\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
C:\Program Files\hp center\137903\Program\InsertInfoPaks.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Search Relevancy - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~1.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoloSchedule] C:\PROGRA~1\SRNMIC~1\SOLOCFG.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Sygate Personal Firewall Start] servic.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKLM\..\RunServices: [Sygate Personal Firewall Start] servic.exe
O4 - HKLM\..\RunServices: [MSN Updater] msnms.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Event Reminder.lnk = ?
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1101669656545
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
  • 0

#36
VirusGirl123

VirusGirl123

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 150 posts
is spykiller a virus? i think that may b wat is rebooting my computer?
  • 0

#37
Smokey

Smokey

    Member 1K

  • Retired Staff
  • 1,423 posts
You may wish to print out a copy of these instructions to follow while you complete this procedure. Please move Hijack This to a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.

Well, spywarekiller isn't helping anything. See the "Rip-off Removal Software" link in my signature. Here's the the two trojans we're going to take down (along with some spyware):

O4 - HKLM\..\Run: [Sygate Personal Firewall Start] servic.exe <- http://www.sygate.co...041015-0001.htm. Note that the SdBot.WW worm is in no way affiliated with Sygate Technologies. SdBot.WW does not affect the performance of Sygate products. Sygate Personal Firewall’s executable is not named Sygate32.exe.

AND

O4 - HKLM\..\RunServices: [MSN Updater] msnms.exe <- http://www.sophos.co...32forbotcg.html

Please reboot into safe mode - How do I boot into "Safe" mode?.
Be sure you're able to view hidden files, and remove the following files:

C:\Windows\System32\servic.exe
C:\Windows\System32\msnms.exe
C:\Program Files\WildTangent\
C:\WINDOWS\System32\msbe.dll
C:\Program Files\Windows TaskAd\

This next one is up to you. It gives you updates from HP, but also displays advertisements. Delete these of you don't want this:

C:\Program Files\hp center\137903\

Next, please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Search Relevancy - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~1.DLL (file missing)
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O4 - HKLM\..\Run: [Sygate Personal Firewall Start] servic.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKLM\..\RunServices: [Sygate Personal Firewall Start] servic.exe
O4 - HKLM\..\RunServices: [MSN Updater] msnms.exe
O4 - Global Startup: Event Reminder.lnk = ?
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe (if removed)
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe (if removed)
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

If you don't use AOL Instant Messenger, fix these too:
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe

Fix if you don't use MSN Messenger:
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log, and let us know how your system's working. <_<
  • 0

#38
VirusGirl123

VirusGirl123

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 150 posts
thank you soooo much! the only problem is that my phone line is cut off at the moment and i am using my moms computer.. i cant get on the internet.. is there n e way i can use your insructions from my moms computer?
  • 0

#39
VirusGirl123

VirusGirl123

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 150 posts
i can get on my computer but since the phone line is cut off i cant get on the internet... so can i download these things on a disk then onto my computer or somthing?
  • 0

#40
Smokey

Smokey

    Member 1K

  • Retired Staff
  • 1,423 posts
Ok, then go ahead and print out the instructions. The only program you will need is hijackthis. You can go ahead and put it on a floppy, cd, or thumbdrive then load it on the infected pc.
  • 0

Advertisements


#41
VirusGirl123

VirusGirl123

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 150 posts
ok cool... i have 2 more questions about the instructions.. would u recommend deleting "This next one is up to you. It gives you updates from HP, but also displays advertisements. Delete these of you don't want this"?C:\Program Files\hp center\137903\
and i do use aim alot so would it mess it up if i delted those things?
  • 0

#42
Smokey

Smokey

    Member 1K

  • Retired Staff
  • 1,423 posts
If you use AIM, then keep the AIM entires. If you don't care to be bothered by HP on your PC, then delete the suggested folder. You're system will run as before minus the HP nags.
  • 0

#43
VirusGirl123

VirusGirl123

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 150 posts
on this part wat do i do? O4 - HKLM\..\Run: [Sygate Personal Firewall Start] servic.exe <- http://www.sygate.co...041015-0001.htm. Note that the SdBot.WW worm is in no way affiliated with Sygate Technologies. SdBot.WW does not affect the performance of Sygate products. Sygate Personal Firewall’s executable is not named Sygate32.exe.
  • 0

#44
Smokey

Smokey

    Member 1K

  • Retired Staff
  • 1,423 posts
Sorry for the confusion. I was just pointing out that entry. <_<
  • 0

#45
VirusGirl123

VirusGirl123

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 150 posts
no problem. <_<. these r the solutions it listed on the site.. do u want me to do them.. Solutions:

Look for and delete files:
[Windows System directory]\sygate32.exe (88576 bytes)
[Weakly-Protected Network Share]\bling.exe (90112 bytes)
[Windows System directory]\servic.exe (80583 bytes)
Also remove the windows registry keys listed above along with any other entries for sygate32, servic, or bling.
Look for unexpected network traffic.
Restore corrupted or damaged files with clean backup copies.
Restore script.ini and other files potentially overwritten by the worm.
Validate the functionality of all anti-virus and security-related software
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP