Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help! Please look at my HiJack This log?


  • Please log in to reply
6 replies to this topic

#1 appleseed

appleseed

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 21 February 2005 - 04:24 PM

would someone mind checking my log and tell me what to do to get rid of this headache? i've deleted this virus in safe mode and it renames itself and reappears. i've tried HSRemove and About:Blaster in safe mode, too. i saw that i need a hijack this log for help and so i downloaded it, ran it and it is as follows:


Logfile of HijackThis v1.99.1
Scan saved at 1:05:45 PM, on 2/21/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\addqb.exe
C:\WINNT\system32\atlsg32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\System32\wuauclt.exe
C:\Documents and Settings\Izzy & Milo\My Documents\Programs\Virus Protection\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\nbdvl.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\nbdvl.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\nbdvl.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\nbdvl.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\nbdvl.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\nbdvl.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\nbdvl.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {97C150E5-B600-7BAA-FD1E-67BAB832252E} - C:\WINNT\system32\mswa.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [addem32.exe] C:\WINNT\system32\addem32.exe
O4 - HKLM\..\Run: [atlsg32.exe] C:\WINNT\system32\atlsg32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Network Security Service (%AF) - Unknown owner - C:\WINNT\system32\addqb.exe


Please help. I really appreciate it!!

DA

BC AdBot (Login to Remove)

 


#2 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:02:19 PM

Posted 21 February 2005 - 05:24 PM

I will check your log.
It's likely to be 24 hours before a reply,
perhaps sooner. :thumbsup:
patiently patrolling, plenty of persisant pests n' problems ...

#3 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:02:19 PM

Posted 22 February 2005 - 06:37 PM

appleseed,
your log indicates are seriously behind on windows updates.
The particular malware is likely present on your PC because of that.
Perhaps the lack of a firewall as well.
It has been three years since service pack 1 was released.
Soon no updating will be available without SP1 installed.

It is essential that you update your windows.


http://www.microsoft.com/windowsxp/downloa...p1/default.mspx
is a website that makes service pack 1a available.
From the webpage:
Express Installation
Most users choose the Express installation to update their personal computers.
The download size varies, depending on how recently you have used the
Windows Update online service.
The typical 30-megabyte download will take approximately 90 minutes
with a dial-up connection and a 56k modem, or 3-5 minutes
with a broadband Internet connection.

It is likely you will need a required download to use the updating service,
so simply approve the activeX applet and follow the prompts.

The scan performed next will determine that your PC has no updates.
Express Install (recommended): High Priority Updates &
Custom Install: High Priority and Optional Updates
will be your choices.

Service Pack 2 will likely be offered in Express.
If so, then choose Custom instead, to install SP 1a.
Service Pack 2 is very large & may cause more
problems if you try to install it at this time,
considering the malware present.

Service pack 1a, and the various individual hotfixes that are
the critical updates that comprise just part of the larger service pack 2,
will be much easier to accomplish.

Start with it.

Repeat the process until you have all critical updates,at least.

Then run Hijack This once again and post
the new log as a reply to this post.

The work done from that point will then be effective.
At least give it a good solid effort, please.
Let me know how it goes.

Also, are you using any firewall protection at this time?
patiently patrolling, plenty of persisant pests n' problems ...

#4 appleseed

appleseed
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 24 February 2005 - 10:44 PM

phawgg - please see the message i sent you.

i can't install sp1 or sp1a because it keeps wanting to reinstall kb835732 over and over and over (0.0 mb of space req'd version - not real version of 2.6 mb)...

thx and sorry!

da

#5 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:02:19 PM

Posted 24 February 2005 - 10:59 PM

Got your message & replied.

No problem, a reformat was a good decision in my opinion.

I think SP2 would be good, also, despite the quirks
that might cause a few programs to need extra
attention after you install them.

Alternatives are available for replacement, as often as not.

SP2 combines everything MS has released to improve
security in winXP since it came out, all in
one bundle.

Go for the CD mailed to you, if you
don't want a super long download (if you have dialup)
Otherwise consider just letting the PC run while you sleep.
9on broadband millions of folks have had no problem)

Thanks for letting me know,
and I hope this helps you to resolve the updating issue.

http://support.microsoft.com/?scid=ph;en-us;6794

Edited by phawgg, 24 February 2005 - 11:01 PM.

patiently patrolling, plenty of persisant pests n' problems ...

#6 appleseed

appleseed
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 24 February 2005 - 11:06 PM

thanks.

so do you know anything about this update i'm having probs with? (kb835732)

i have broadband, so i don't have any probs waiting for a download - the only problem is i can't get to download it because my winupdate wants to keep reinstalling the above mentioned. it doesn't want to download anything else.

should i just order the cd (sp2) and do it all at once? would i need to remove my previous hotfixes? and what about loading my software - should i wait to install most of my programs after sp2, or before? due to your comment about some programs needing extra attention? what programs tend to need help? and what about security - i have norton and pc-cillin. (norton systemworks and pc-cilling internet security)?

sorry for all the ?s

thanks

#7 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:02:19 PM

Posted 24 February 2005 - 11:25 PM

i can't get past it. and i needed to have the computer running normal again, so i just reformatted my drive. i just recently upgraded to a new hard drive and so all my files were already ready to install.

I would have done the same thing.

I'd do this.
Now that you have a fresh install.

Uninstall the programs again.
That won't take much time.

Download SP2.
When it does that, it significantly improves (and changes) the OS.

Because it does that, and because it is designed for security,

Having it in place BEFORE you load your programs is good.

Load each one-at-a-time, and check them out carefully.

If you have any unusaual problems, pause.
Check that site out I linked above.

You'd be checking for "third party vendors".
Many, if problems have been reported about their product,
have issued updates themselves to deal with them.

Norton just so happens to be one that has
experienced more than it's fair share of problems-post-SP2.
Actually, free alternatives exist that function better than it in many ways.

But try it on your PC with the other programs you use before you bail out
of using it in favor of others.

Especially if you paid for them.

I also had problems with my Sony CD-RW & the shareware that came with it.
B's Recorder Gold 5.

They wanted me to buy up to deal with their problems.
I dumped 'em.
In favor of Nero, which works flawlessly with SP2.

I really haven't had much of any incident other than the CD-burning issues.

Sygate firewall works great, AVG anti-virus performs very well.
All of the anti-spyware programs do great.

So, I'm including the recommendations I would have given you once we cleaned the PC (not needed now that you have reformated)

These recommendations are valid now, though, for normal operation of a clean PC.

Also, I typically DEFRAGMENT my HD after a lot of installation/uninstallation.

I also run a registry cleaning program.
The one I trust I had to pay for though.
(Iola System Mechanic 5)
It's $50.00 or $70.00 for pro,
but just use the free 30 day trial to get squared away.

http://www.bleepingcomputer.com/forums/ind...ic=11668&st=0&#

And the system restore information is just good to know.

You should disable & re-enable your System Restore to set a new restore point.
This insures that there are no infected files found in a restore point left over from what we have just cleaned.
Additional information & instructions are here.


Some other steps to be taken are:

1. Use secure Internet Explorer settings
  • Open IE and check tools-->internet options-->security-->click internet icon-->(default is medium).


  • Click custom and check that these settings are:


  • Download unsigned ActiveX controls - prompt


  • Initialize and script ActiveX controls not marked as safe - disable


  • Installation of desktop items - prompt


  • Launching programs and files in IFRAME - prompt


  • Navigate sub-frames across different domains - prompt
2. Use AntiVirus Software & Update Frequently. It's best to use only one.
  • An excellent free program is AVG, if you need an option.


  • This program can be set to automatically scan & either auto-update or


  • you may choose to do that yourself.


  • Virus definition updates with this program occur frequently, which is very good.
3. Use a Firewall, but use only one. If you install your own, disable the built-in winXP firewall.
  • Excellent free programs available include:


  • Sygate


  • Kerio


  • (others are also available)


  • Choose one (if you do not already use a firewall). Keep your Firewall up & monitor it's configurations


  • (fully understanding it's operation may require some thought & a little practice,


  • but it helps greatly to have it installed and functioning)
4. Use Microsoft Windows Updates Frequently
  • SP2 is the most recent Service Pack available.


  • More updates have already been to it, so remain current in regards to security issues in particular.
5. Use Spybot S&D & Update
  • Install and use this program with its TeaTimer option. (Advanced Mode-->Tools-->Resident)


  • It provides realtime spyware & hijacker protection alongside your virus protection.


  • Scan with this program on a regular basis, just as you would an antivirus software.


  • Check for updates when you do. Use the help menu, and a tutorial is available.
6. Use SpywareBlaster & Update
  • Install and use this program


  • Adding a large list of sites/programs into your Browser settings, it protects you from


  • running or downloading known malicious programs.


  • You may customize it if required to accomodate your individual needs,


  • and updates are also frequently issued with new definitions added


  • Make it a habit to run and update on a regular basis.
7. Use Ad-Aware & Update
  • Install, configure and use this program with the others.


  • It is very well thought of in it's effectiveness, it complements the actions of the others.


  • It provides for additional plug-in specialty tools as well as an upgrade if you choose them.


  • Updates are frequent, so I suggest that you do both that and run the program regularly.
8. Use an alternative Browser Frequently. You may use several if you like.
  • Consider using Firefox as an alternative to IE
    for fundamental security reasons.


  • You can have both easily. Doing so will provide you with several benefits and options.


  • Other alternative browsers are also available at no charge


  • They do not have inherent vulnerabilities to the extent that IE does.


  • They are not subject to the same attention by malware creators as IE, which is much more commonly used.
  • All of these recommendations will provide a valuable service to you,


  • and no conflicts exist when operating them together on your PC & winXP OS.


  • Please enact them for your own sake at that of the Internet itself.
9. Use BleepingComputer Tutorials & Resources Frequently. "and check for updates...:thumbsup:"
  • While cleaning your PC important tutorials were offered to explain what was being done.


  • Urgency to accomplish the task may have compromised your full understanding of what all was involved.


  • There is always room for improvement when using a personal computer.


  • Resources are available here and improving all the time.


  • Some that deal with these recommendations & other topics include:
Tutorials available for more in-depth considerations.
Switching from Internet Explorer to Firefox
Four Simple Steps for removing Spyware, Hijackers, Viruses, and other Malware
Simple and easy ways to keep your computer safe and secure on the Internet
Using Spybot - Search & Destroy to remove Spyware from Your Computer
Using Ad-Aware SE to remove Spyware & Hijackers from Your Computer
Using SpywareBlaster to protect your computer from Spyware, Hijackers, and Malware
Guide to Windows XP Recovery Features
Steps to take when connecting a new computer to the Internet
Microsoft Anti-spyware Beta 1 "let's see screenshots"

For your information.
Additional modifications can be made to your PC.
Optional running processes & the registry entries that make them run are not malware,
but can effect your boot initialization & other characteristics of how your PC operates.
You can enter the running process filenames into any of these online databases to learn more about them.
Bleepincomputer Startup Database.
ATW Task List.
Windows Startup Online.
ProcessLibrary
There are also other sites.
Since only you know how you use your programs, it's fair to say you might benefit
by knowing more about each of the ones that appear in your log.

For example:
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
startup database info

Questions about them will best be answered after you've had a chance to
check some of them out first, as your PC is now technically clean.


Edited by phawgg, 24 February 2005 - 11:31 PM.

patiently patrolling, plenty of persisant pests n' problems ...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users