[Daemon]

Do this for me. With only HJT running, have it fix:

O17 - HKLM\System\CCS\Services\Tcpip\..\{7019C85B-009A-48B8-A407-D7F5BF0A9BC9}: NameServer = 69.50.176.158,85.255.112.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{EC5FB767-944A-497F-85E5-A4332184FFAC}: NameServer = 69.50.176.158,85.255.112.8

Exit HijackThis. Click Start>Run and copy and paste next command : ipconfig /flushdns

Click OK. Reboot when done. Let me know.

[Advertisements]

I discovered something, pls forgive me talking too much:)
I go to Control Panel , Netwok and Dialup connections, Local Area Connection, Properties, Internet Protocol (TCP/IP), Properties

obtain DNS server address automatically is NOT highlighted, instead "use the following DNS server adresess" is highlighted
AND SURPRISE:The addresses are same with the ones in O17.

So do you advice me to remove them from here and choose automatic DNS?
will this fix the problem?May I try?

[anesta2000]

I discovered something, pls forgive me talking too much:)
I go to Control Panel , Netwok and Dialup connections, Local Area Connection, Properties, Internet Protocol (TCP/IP), Properties

obtain DNS server address automatically is NOT highlighted, instead "use the following DNS server adresess" is highlighted
AND SURPRISE:The addresses are same with the ones in O17.

So do you advice me to remove them from here and choose automatic DNS?
will this fix the problem?May I try?

[anesta2000]

I Tried. It didn't work:(

I found the same problem in an other forum, this helps?
http://www.tech-reci...re_tips765.html

I did smthg more, I looked at my adsl modem configuration, DNS numberes are completely different than that ones. Do I need to change from control panel with same numbers?

Edited by anesta2000, 04 September 2005 - 02:35 PM.

[anesta2000]

Hi Daemon,
I did something myself.
I deleted O17 entres. of course I couldnt connect to internet.
Than, from control panel I chnaged the DNS numbers with the ones in my modem controls. IT WORKED but I dont know if the malware still persists (hclean32.exe.ren warning by NAV)

Here is my last HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 00:56:12, on 05.09.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\xp\My Documents\programlar\HijackThis.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [gcasDtServ] gcasDtServ.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: MynetOkey - http://oyunsunucu.my...ebRoot/Okey.CAB
O16 - DPF: MynetTavla - http://oyunsunucu.my...bRoot/Tavla.CAB
O16 - DPF: {0FC8B38E-9293-424C-9D0E-CE60775679CF} (SubClassEditCtrlContainer Class) - https://sube.garanti...EditControl.CAB
O16 - DPF: {78A730D4-0DF3-4B65-8DD2-BFCD433CEE30} - http://www.surfsecre...PPInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{EC5FB767-944A-497F-85E5-A4332184FFAC}: NameServer = 212.156.4.6,212.156.4.7
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Is Everything ok? do I need to clean anything for hclean32.exe.ren?
Thanks for all..You're great!

[Daemon]

Whoa there! Let me catch up with you.

OK you have sorted out the dns issue - well done

The files that are ****.exe.ren are the ones that we renamed earlier - they can't harm you now however just delete them to stop norton detecting them.

Otherwise everything looks OK - how is it running now?

[anesta2000]

Hi Daemon,
I've deleted *.ren files, everything seems to be fixed up to now. (Hope not to see nightmare again:)
Thanks for all your effort.

You're GREEEAAAAAT!!!!!

...but I realized that I cannot open some sites. for eg. I cannot open yahoo.com, do you have any idea about that? Do I need to change some settings?

Edited by anesta2000, 05 September 2005 - 11:16 AM.

[Daemon]

Do this and let me know if it resolves it.

Right click Here and select Save As to download WinHelp2002's DelDomains.inf. Please save the file somewhere you can find it like on the desktop. To run the inf file, right click on it and select Install.

Click here to download the Hoster. Extract it from the zip file into a folder and doubleclick on hoster.exe. Press "Restore Original Hosts" and press "OK". Exit the program.

[anesta2000]

Hi Daemon,
sorry for repliying too late but I'm a little bit sick. I've tried to connect yahoo again and there seems no problem now. I think this virus has affected my nervous system soo much. I'll keep your advice in my mind and try if I've a problem again.
I want to thank you again and again for your great effort.
Best regards.

[anesta2000]

Hi Daemon, I followed your instructions. When I run hoster, it said that something like "couldnt find host etc.." and asked to create. I said "yes" then press "Restore Original Hosts".
Now, my problem is; I cannot connect internet properly. Many times it says "cannot displayed". This problem may be from adsl service provider I know but up to know I didnt have a problem like this.
I've tried smtng more, when a site is open I clicked on a link to open in anew window and at the same time I tried to open yahoo. The link page is opened but yahoo page said it cant be displayed. According to me this shows the problem does not occur from service provider. When I disconnect and connect again, then I opened yahoo for eg.
The problem seems to me like this: I've narrowed my connection to internet and it connects sometimes properly and sometimes not.

Here is my latest HJT log if needed:

Logfile of HijackThis v1.99.1
Scan saved at 22:01:17, on 08.09.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\xp\My Documents\programlar\HijackThis.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [gcasDtServ] gcasDtServ.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: MynetOkey - http://oyunsunucu.my...ebRoot/Okey.CAB
O16 - DPF: MynetTavla - http://oyunsunucu.my...bRoot/Tavla.CAB
O16 - DPF: {0FC8B38E-9293-424C-9D0E-CE60775679CF} (SubClassEditCtrlContainer Class) - https://sube.garanti...EditControl.CAB
O16 - DPF: {78A730D4-0DF3-4B65-8DD2-BFCD433CEE30} - http://www.surfsecre...PPInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{EC5FB767-944A-497F-85E5-A4332184FFAC}: NameServer = 212.156.4.6,212.156.4.7
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Anything to do more?
with my best regards

Edited by anesta2000, 08 September 2005 - 01:10 PM.

[anesta2000]

Hi Daemon,
PROBLEM FIXED.
Re-installed modem and all configurations told by service provider. IE is running well now.
Thanks for your great effort. You can close this topic.

[Daemon]

You're welcome - glad to help

To help keep you clean follow the recommendations in Tony's article here:

So how did I get infected in the first place?



As this problem has been resolved the topic will be closed. If you need this topic reopened, please email the moderating team - be sure to include the address of the thread and the name you posted under.