Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Hijack/ Virus help needed- HijackThis log [RESOLVED]


  • This topic is locked This topic is locked

#16
tlcfromtn

tlcfromtn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 69 posts
Panda Activescan


Incident Status Location

Adware:adware/sbsoft No disinfected Windows Registry
Dialer:Dialer.BEW No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\I9UPGH61\connect[1].htm
Dialer:Dialer.BEW No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\S78XI909\m7[1].htm
Hacktool:HackTool/ProcLog.A No disinfected C:\HP\bin\ProcessLogger.exe
Virus:Trj/Full.A Disinfected C:\_RESTORE\TEMP\A0000011.CPY
Adware:Adware/Megatds No disinfected C:\_RESTORE\TEMP\A0000012.CPY
Virus:Trj/Full.A Disinfected C:\_RESTORE\TEMP\A0000019.CPY
Virus:Trj/Full.A Disinfected C:\_RESTORE\TEMP\A0000003.CPY
Adware:Adware/Megatds No disinfected C:\_RESTORE\TEMP\A0000004.CPY
Adware:Adware/Megatds No disinfected C:\_RESTORE\TEMP\A0000020.CPY
Adware:Adware/SecurityError No disinfected C:\Recycled\Dc1.exe
Adware:Adware/WindowEnhancer No disinfected C:\Recycled\Dc4\SBWebCtl.dll
  • 0

Advertisements


#17
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Disable System Restore again. Restart... Enable System Restore.

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Right click and copy the below lines. Go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say Yes:

C:\WINDOWS\Temporary Internet Files\Content.IE5\I9UPGH61\connect[1].htm
C:\WINDOWS\Temporary Internet Files\Content.IE5\S78XI909\m7[1].htm
C:\Recycled\Dc1.exe
C:\Recycled\Dc4\SBWebCtl.dll


If you get a PendingOperations message, just close it and restart your computer manually.

Restart...

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Run a new Panda scan. Anything found?
  • 0

#18
tlcfromtn

tlcfromtn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 69 posts
Incident Status Location

Adware:adware/sbsoft No disinfected Windows Registry
Hacktool:HackTool/ProcLog.A No disinfected C:\HP\bin\ProcessLogger.exe
Virus:Trj/Full.A Disinfected C:\_RESTORE\TEMP\A0000020.CPY
Adware:Adware/Megatds No disinfected C:\_RESTORE\TEMP\A0000021.CPY
Virus:Trj/Full.A Disinfected C:\_RESTORE\TEMP\A0000003.CPY
Adware:Adware/Megatds No disinfected C:\_RESTORE\TEMP\A0000004.CPY
Adware:Adware/Megatds No disinfected C:\_RESTORE\TEMP\A0000075.CPY
Virus:Trj/Full.A Disinfected C:\_RESTORE\TEMP\A0000076.CPY
  • 0

#19
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
It should be good now. Ignore any registry entries found. If you want, disable system restore once more and then run the online Panda scan to see if anything is found. If not, restart and enable system restore again.

Any problems now?
  • 0

#20
tlcfromtn

tlcfromtn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 69 posts
How does this look? I had more stuff on there this morning. I need to keep my computer locked I guess!

Incident Status Location

Adware:adware/sbsoft No disinfected Windows Registry
Hacktool:HackTool/ProcLog.A No disinfected C:\HP\bin\ProcessLogger.exe
Virus:Trj/Full.A Disinfected C:\_RESTORE\TEMP\A0000020.CPY
Adware:Adware/Megatds No disinfected C:\_RESTORE\TEMP\A0000021.CPY
Virus:Trj/Full.A Disinfected C:\_RESTORE\TEMP\A0000003.CPY
Adware:Adware/Megatds No disinfected C:\_RESTORE\TEMP\A0000004.CPY
Adware:Adware/Megatds No disinfected C:\_RESTORE\TEMP\A0000075.CPY
Virus:Trj/Full.A Disinfected C:\_RESTORE\TEMP\A0000120.CPY
Adware:Adware/Megatds No disinfected C:\_RESTORE\TEMP\A0000121.CPY
Virus:Trj/Full.A Disinfected C:\_RESTORE\TEMP\A0000138.CPY
Adware:Adware/Megatds No disinfected C:\_RESTORE\TEMP\A0000139.CPY
Virus:Trj/Full.A Disinfected C:\_RESTORE\TEMP\A0001138.CPY
Adware:Adware/Megatds No disinfected C:\_RESTORE\TEMP\A0001139.CPY
Virus:Trj/Full.A Disinfected C:\_RESTORE\TEMP\A0003137.CPY
Adware:Adware/Megatds No disinfected C:\_RESTORE\TEMP\A0003138.CPY
Virus:Trj/Full.A Disinfected C:\_RESTORE\TEMP\A0004137.CPY
Adware:Adware/Megatds No disinfected C:\_RESTORE\TEMP\A0004138.CPY
  • 0

#21
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Doesn't look right? You disabled System Restore and restarted ... then enabled System Restore right?

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Right click and copy the below lines. Go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say Yes:

C:\_RESTORE\TEMP\A0000021.CPY
C:\_RESTORE\TEMP\A0000004.CPY
C:\_RESTORE\TEMP\A0000075.CPY
C:\_RESTORE\TEMP\A0000121.CPY
C:\_RESTORE\TEMP\A0000139.CPY
C:\_RESTORE\TEMP\A0001139.CPY
C:\_RESTORE\TEMP\A0003138.CPY
C:\_RESTORE\TEMP\A0004138.CPY


If you get a PendingOperations message, just close it and restart your computer manually.

Disable System Restore again and restart your computer. Don't enable system restore yet. Run a Panda scan. Anything found? Turn it back on and run another Panda scan. Clear?
  • 0

#22
tlcfromtn

tlcfromtn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 69 posts
No,I forgot to disable system restore before that last scan. Sorry. So should I do that, run another scan and post it again or just do as you said in the post above? Thanks for all your help!
  • 0

#23
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
You should disable system restore...enable it back after a restart. That should have cleared it out immediately.
  • 0

#24
tlcfromtn

tlcfromtn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 69 posts
This is the scan with system restore disabled:

Incident Status Location

Adware:adware/sbsoft No disinfected Windows Registry
Hacktool:HackTool/ProcLog.A No disinfected C:\HP\bin\ProcessLogger.exe

This is the scan with system restore on:

Incident Status Location

Adware:adware/sbsoft No disinfected Windows Registry
Hacktool:HackTool/ProcLog.A No disinfected C:\HP\bin\ProcessLogger.exe
Virus:Trj/Full.A Disinfected C:\_RESTORE\TEMP\A0000003.CPY
Adware:Adware/Megatds No disinfected C:\_RESTORE\TEMP\A0000004.CPY
  • 0

#25
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK, try disabling System Restore during the Panda scan and see if it finds anything. Once done, enable system restore again and do this:

Run a virus scan using Kapersky Online Scanner and see what it finds.
  • 0

Advertisements


#26
tlcfromtn

tlcfromtn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 69 posts
I want to make sure I have this straight, you want me disable system restore while the scan is running?
  • 0

#27
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Yes, that's correct. For some reason it seems like the restore point is keeping the bad files. So I want you to run it with system restore turned off. Turn it back on when the Panda scan is done. Then (while system restore is turned back on), run Kapersky scan.
  • 0

#28
tlcfromtn

tlcfromtn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 69 posts
Incident Status Location

Adware:adware/sbsoft No disinfected Windows Registry
Hacktool:HackTool/ProcLog.A No disinfected C:\HP\bin\ProcessLogger.exe

--------
KASPERSKY ON-LINE SCANNER REPORT
Tuesday, October 25, 2005 21:06:55
Operating System: Microsoft Windows Millennium Edition
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 26/10/2005
Kaspersky Anti-Virus database records: 146837
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
a:\
c:\
d:\

Scan Statistics:
Total number of scanned objects: 38562
Number of viruses found: 3
Number of infected objects: 7
Number of suspicious objects: 0
Duration of the scan process: 3263 sec

Infected Object Name - Virus Name
c:\WINDOWS\Application Data\Identities\{5BD0A2D8-D211-41B5-8DC7-7DD04D2C860B}\Microsoft\Outlook Express\Hotmail - Deleted Items.dbx/[From Wed, 14 Nov 2001 00:47:13 -0800][Date Sun, 21 Oct 2001 06:18:43 -0700 (PDT)]/UNNAMED/CONEONCO.EXE Infected: Email-Worm.Win32.Hybris.b
c:\WINDOWS\Application Data\Identities\{5BD0A2D8-D211-41B5-8DC7-7DD04D2C860B}\Microsoft\Outlook Express\Hotmail - Deleted Items.dbx/[From Wed, 14 Nov 2001 00:47:13 -0800][Date Sun, 21 Oct 2001 06:18:43 -0700 (PDT)]/UNNAMED Infected: Email-Worm.Win32.Hybris.b
c:\WINDOWS\Application Data\Identities\{5BD0A2D8-D211-41B5-8DC7-7DD04D2C860B}\Microsoft\Outlook Express\Hotmail - Deleted Items.dbx/[From Wed, 14 Nov 2001 00:47:13 -0800][Date Mon, 12 Nov 2001 13:36:11 -0800 (PST)]/UNNAMED/CONEONCO.EXE Infected: Email-Worm.Win32.Hybris.b
c:\WINDOWS\Application Data\Identities\{5BD0A2D8-D211-41B5-8DC7-7DD04D2C860B}\Microsoft\Outlook Express\Hotmail - Deleted Items.dbx/[From Wed, 14 Nov 2001 00:47:13 -0800][Date Mon, 12 Nov 2001 13:36:11 -0800 (PST)]/UNNAMED Infected: Email-Worm.Win32.Hybris.b
c:\WINDOWS\Application Data\Identities\{5BD0A2D8-D211-41B5-8DC7-7DD04D2C860B}\Microsoft\Outlook Express\Hotmail - Deleted Items.dbx Infected: Email-Worm.Win32.Hybris.b
c:\_RESTORE\TEMP\A0000003.CPY Infected: Trojan.Win32.Small.fb
c:\_RESTORE\TEMP\A0000004.CPY Infected: Trojan-Downloader.Win32.Agent.uj

Scan process completed.
  • 0

#29
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
You see those bad files found by Kapersky? It seems to be stored in your Outlook Express emails. Look for those specific ones (they have the date and time for the email listed) and delete them. Empty your email trash bin when done.

This might not work, but let's give it a try:

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Right click and copy the below lines. Go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say Yes:

c:\_RESTORE\TEMP\A0000003.CPY
c:\_RESTORE\TEMP\A0000004.CPY


If you get a PendingOperations message, just close it and restart your computer manually.

Restart...

Run a new Panda and Kapersky scan. Post their logs here.
  • 0

#30
tlcfromtn

tlcfromtn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 69 posts
We only used Outlook Express for mail for a short time when we first got our computer. Sometime within the last year I removed it. I found it again and added it back after I read your last reply. Bad thing is 3 of us had email accounts and nobody remembers their password now. Is there any way to get into it or to delete the files without getting into it?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP