Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

pls.check my hjt log [RESOLVED]


  • This topic is locked This topic is locked

#16
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Do this for me. With only HJT running, have it fix:

O17 - HKLM\System\CCS\Services\Tcpip\..\{7019C85B-009A-48B8-A407-D7F5BF0A9BC9}: NameServer = 69.50.176.158,85.255.112.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{EC5FB767-944A-497F-85E5-A4332184FFAC}: NameServer = 69.50.176.158,85.255.112.8


Exit HijackThis. Click Start>Run and copy and paste next command : ipconfig /flushdns

Click OK. Reboot when done. Let me know.
  • 0

Advertisements


#17
anesta2000

anesta2000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
I discovered something, pls forgive me talking too much:)
I go to Control Panel , Netwok and Dialup connections, Local Area Connection, Properties, Internet Protocol (TCP/IP), Properties

obtain DNS server address automatically is NOT highlighted, instead "use the following DNS server adresess" is highlighted
AND SURPRISE:The addresses are same with the ones in O17.

So do you advice me to remove them from here and choose automatic DNS?
will this fix the problem?May I try?
  • 0

#18
anesta2000

anesta2000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
I Tried. It didn't work:(

I found the same problem in an other forum, this helps?
http://www.tech-reci...re_tips765.html

I did smthg more, I looked at my adsl modem configuration, DNS numberes are completely different than that ones. Do I need to change from control panel with same numbers?

Edited by anesta2000, 04 September 2005 - 02:35 PM.

  • 0

#19
anesta2000

anesta2000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Hi Daemon,
I did something myself.
I deleted O17 entres. of course I couldnt connect to internet.
Than, from control panel I chnaged the DNS numbers with the ones in my modem controls. IT WORKED but I dont know if the malware still persists (hclean32.exe.ren warning by NAV)

Here is my last HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 00:56:12, on 05.09.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\xp\My Documents\programlar\HijackThis.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [gcasDtServ] gcasDtServ.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: MynetOkey - http://oyunsunucu.my...ebRoot/Okey.CAB
O16 - DPF: MynetTavla - http://oyunsunucu.my...bRoot/Tavla.CAB
O16 - DPF: {0FC8B38E-9293-424C-9D0E-CE60775679CF} (SubClassEditCtrlContainer Class) - https://sube.garanti...EditControl.CAB
O16 - DPF: {78A730D4-0DF3-4B65-8DD2-BFCD433CEE30} - http://www.surfsecre...PPInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{EC5FB767-944A-497F-85E5-A4332184FFAC}: NameServer = 212.156.4.6,212.156.4.7
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Is Everything ok? do I need to clean anything for hclean32.exe.ren?
Thanks for all..You're great!
  • 0

#20
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Whoa there! Let me catch up with you.

OK you have sorted out the dns issue - well done :tazz:

The files that are ****.exe.ren are the ones that we renamed earlier - they can't harm you now however just delete them to stop norton detecting them.

Otherwise everything looks OK - how is it running now?
  • 0

#21
anesta2000

anesta2000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Hi Daemon,
I've deleted *.ren files, everything seems to be fixed up to now. (Hope not to see nightmare again:)
Thanks for all your effort.

You're GREEEAAAAAT!!!!!

...but I realized that I cannot open some sites. for eg. I cannot open yahoo.com, do you have any idea about that? Do I need to change some settings?

Edited by anesta2000, 05 September 2005 - 11:16 AM.

  • 0

#22
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Do this and let me know if it resolves it.

Right click Here and select Save As to download WinHelp2002's DelDomains.inf. Please save the file somewhere you can find it like on the desktop. To run the inf file, right click on it and select Install.

Click here to download the Hoster. Extract it from the zip file into a folder and doubleclick on hoster.exe. Press "Restore Original Hosts" and press "OK". Exit the program.
  • 0

#23
anesta2000

anesta2000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Hi Daemon,
sorry for repliying too late but I'm a little bit sick. I've tried to connect yahoo again and there seems no problem now. I think this virus has affected my nervous system soo much. I'll keep your advice in my mind and try if I've a problem again.
I want to thank you again and again for your great effort.
Best regards.
  • 0

#24
anesta2000

anesta2000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Hi Daemon, I followed your instructions. When I run hoster, it said that something like "couldnt find host etc.." and asked to create. I said "yes" then press "Restore Original Hosts".
Now, my problem is; I cannot connect internet properly. Many times it says "cannot displayed". This problem may be from adsl service provider I know but up to know I didnt have a problem like this.
I've tried smtng more, when a site is open I clicked on a link to open in anew window and at the same time I tried to open yahoo. The link page is opened but yahoo page said it cant be displayed. According to me this shows the problem does not occur from service provider. When I disconnect and connect again, then I opened yahoo for eg.
The problem seems to me like this: I've narrowed my connection to internet and it connects sometimes properly and sometimes not.

Here is my latest HJT log if needed:

Logfile of HijackThis v1.99.1
Scan saved at 22:01:17, on 08.09.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\xp\My Documents\programlar\HijackThis.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [gcasDtServ] gcasDtServ.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: MynetOkey - http://oyunsunucu.my...ebRoot/Okey.CAB
O16 - DPF: MynetTavla - http://oyunsunucu.my...bRoot/Tavla.CAB
O16 - DPF: {0FC8B38E-9293-424C-9D0E-CE60775679CF} (SubClassEditCtrlContainer Class) - https://sube.garanti...EditControl.CAB
O16 - DPF: {78A730D4-0DF3-4B65-8DD2-BFCD433CEE30} - http://www.surfsecre...PPInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{EC5FB767-944A-497F-85E5-A4332184FFAC}: NameServer = 212.156.4.6,212.156.4.7
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Anything to do more?
with my best regards

Edited by anesta2000, 08 September 2005 - 01:10 PM.

  • 0

#25
anesta2000

anesta2000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Hi Daemon,
PROBLEM FIXED.
Re-installed modem and all configurations told by service provider. IE is running well now.
Thanks for your great effort. You can close this topic.
  • 0

Advertisements


#26
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
You're welcome - glad to help :tazz:

To help keep you clean follow the recommendations in Tony's article here:

So how did I get infected in the first place?



As this problem has been resolved the topic will be closed. If you need this topic reopened, please email the moderating team - be sure to include the address of the thread and the name you posted under.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP