Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log: Please help Diagnose


  • Please log in to reply
1 reply to this topic

#1 ste

ste

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 24 June 2005 - 04:14 AM

Logfile of HijackThis v1.99.1
Scan saved at 11.01.45, on 24/06/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ntol32.exe
C:\WINDOWS\system32\atlfy.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programmi\SFerret\sferrt.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\stefano.STEFANO-1O8DMRV\Impostazioni locali\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\uphab.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\uphab.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\uphab.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\uphab.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\uphab.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\uphab.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\uphab.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {8C4EE7EF-A669-175D-54F7-B3DA23747F28} - C:\WINDOWS\system32\addrt.dll
O4 - HKLM\..\Run: [ntol32.exe] C:\WINDOWS\system32\ntol32.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmi\MSN Messenger\msnmsgr.exe" /background
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5FE77B83-4E0F-4CEF-9023-B354496BDC51}: NameServer = 193.70.152.15 193.70.152.25
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\atlfy.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Servizio Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe

BC AdBot (Login to Remove)

 


#2 njustice

njustice

  • Security Colleague
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:32 AM

Posted 24 June 2005 - 05:47 AM

ste,

Hello! and welcome to our help forums.

===============

When we're done cleaning off your system, I'd recommend that you install all the Critical Windows Updates available from Microsoft, up to Service Pack 1. This will help to make your system more secure and prevent many 'problems' from reoccuring in the future.


===============

Go to www.trendmicro.com, and then:

1. Click "Free Online Scan".
2. Click "Scan now, it's free".

It'll take a few minutes to download (especially with a dialup connection), so be patient. When it's done:

1. Select all available drives.
2. Check(tick) "Auto Clean".
3. Click "Scan".

When it completes, copy the full filename of any files that cannot be cleaned or deleted and post them when your done with the following fix. If you have any problems with this step please continue on with the fix below.

===============

We'll need to download these program(s) to help us deal with the "About:Blank" infection:

-

Download, unzip to your desktop CWShredder and run it, then:

1. Click "Check For Update"

(If an update isn't available, skip to step #4.)

2. Click "Click here to Download the update".
3. When the new version has been downloaded, click "Save".
4. Exit the program.


Download, unzip to your desktop About:Buster and run it, then:

1. Click "Update".
2. Click "Check For Update"

(If no new version is available, skip to step #4.)

3. Click "Download Update", and wait for it to be installed.
4. Exit the program.



===============

Reboot your computer into "Safe Mode"

===============

Next, locate CWShredder that you downloaded earlier and run it, then:

1. Click "Fix ->"

===============

Next, locate About:Buster that you downloaded earlier and run it, then:

1. Click "Start".

(Wait for the initial ADS scan to complete.)

2. Click "Yes", to shutdown any IE session currently open.

(Wait for the about:blank scan to complete.)

3. Click "Ok", to scan once more.
4. Click "Yes", to shutdown any IE sessions currently open.
5. Click "Yes", to begin the second pass.

6. Click "Save log", and post this log back along with your new log.
7. Click "Exit".
8. Click "Exit".

===============

Reboot your computer normally.

===============

Go to add/remove programs and uninstall SpyFerret (SFerret).

===============

Before we begin, let's move HiJackThis to it's own folder; like c:\HJT. When we're done 'cleaning' off your system, we're going to 'flush' the temporary folders which, with HiJackThis in it's current location, we'll lose both the program and the backups it creates. These backups are important in case we need to restore any 'fixed' entry(s) later.

Also move the "Backups" folder, for HiJackThis, if present.

===============

Run HiJackThis and click "Scan", then check(tick) the following, if present:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\uphab.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\uphab.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\uphab.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\uphab.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\uphab.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\uphab.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\uphab.dll/sp.html#37049

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {8C4EE7EF-A669-175D-54F7-B3DA23747F28} - C:\WINDOWS\system32\addrt.dll

O4 - HKLM\..\Run: [ntol32.exe] C:\WINDOWS\system32\ntol32.exe

O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\atlfy.exe


Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure your able to"view system and hidden files/folders":

folders...

C:\SFerret

files...

C:\WINDOWS\system32\ntol32.exe
C:\WINDOWS\system32\atlfy.exe
C:\WINDOWS\uphab.dll
C:\WINDOWS\system32\addrt.dll

-

Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them from "Safe Mode".

===============

Reboot your computer.

Post back a new log, report any problems and let me know how everything goes.

IMPORTANT! PLEASE do not restart your computer unless asked, restarting can reinfect your computer resulting in us starting the cleaning up process all over!

-

~Njustice~
Have I helped you? Please consider donating to help me continue my fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users