Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

hjt log and problem explination


  • Please log in to reply
3 replies to this topic

#1 AkaAlias

AkaAlias

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Location:Roermond, The Netherlands
  • Local time:07:32 AM

Posted 11 January 2005 - 01:43 PM

Hi there,

first of all, thank you for taking the time to check out my post! I'm dutch and it'll take some time for me to try and explain the problems i'm experiencing, i'll try to be as clear as possible. Plz forgive me if i'm making no sence :thumbsup:.

------

Ok here goes... The problem:

The problem appeared aproxomitly 2 weeks ago and concists of not being able to access 'https' websites such as hotmail and gmail and other.
Also when i try to login to msn it gives me the following errorcode: 0x81000370

I'm using Windows XP with sp2.
Mozilla Firfox is my webbrowser, but i still have IE installed.
Norton av2004 is my anti virus program.
Msn version 6.2 with msn+

------

Things i've tried to fix these problems:

First i tried to see if it may be a virus related problem, scanned with norton av2004, spybot s&d and add-aware. All these programs are fully up to date. The problem still excists after scanning and deleting/repairing anything it detected.

I've googled all these problems and found lot's of diffirent solutions.

I've tried diffirent kinds of IE internet option settings. Including disabling 'Check for Server Certificate Revocation (requires restart).' And restoring the default settings.
After restart it sometimes worked but only for approx. 5 min. Or after restart the problem returned.

I've tried to add all the hotmail sites to the 'trusted sites' in IE (see img or url):


Posted Image
https://ssl-proxy-updated.herokuapp.com/2a810f958309870e66214cd20479a8599b1e6c60/687474703a2f2f7777772e61736b6d617276696e2e63612f666f72756d732f75706c6f6164732f6d657373656e67657231302e676966/

I've tried to disable the windows xp firewall, restarting my computer. The result was that i could access hotmail and all other sites and msn again, but after approx. 5 min. the problem returned.

I've tried to uninstall Norton av2k4 wich resolved the problem for approx 5 min. before it returned once more.

I've tried to go back to a previous system restore point, wich gave me the msg that it couldn't go back to that point because there were no changes made in the system.
A few days back, after trying one of the above (so called) solutions, i made a new restore point when everything was working again, after approx. 5 min. the problem was back. I restored the system to the restore point, it worked again for 5 min.

I've tried deleting all cookies and temporary internet files (also the offline temp internet files) in IE and firefox with no results. Also tried deleting sll-status and saved passwords with no result.

Checked the cypher strenght of IE wich stands at 128-bit, so that shouldn't be the problem.

I've tried reparing IE and disabling it all together, again with no results. (Is it possible to do a fresh install of IE in XP, or only possible to repair or dissable IE?)

Checked if 'use sll 2.0' and 'use sll 3.0' were enabled in IE wich was the case.

I've tried changing the mtu settings using dr.tcp021 with no effect, (restored to default now.)

I can't think of any other things I might have tried as for the above.
------

I'm no expert on hjt-log's, hopefully you can find something wich might resolve the problem.

Here is my current hjt-log:

Logfile of HijackThis v1.99.0
Scan saved at 19:33:57, on 11-1-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Winamp\winampa.exe
F:\WINDOWS\SOUNDMAN.EXE
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\Java\jre1.5.0\bin\jusched.exe
F:\DOCUME~1\AkaAlias\LOCALS~1\Temp\searchbarcash.exe
F:\Program Files\Messenger Plus! 3\MsgPlus.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
F:\Documents and Settings\AkaAlias\Application Data\heab.exe
F:\Program Files\Norton AntiVirus\navapsvc.exe
F:\WINDOWS\mmc.exe
F:\WINDOWS\system32\w?wexec.exe
F:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
F:\WINDOWS\system32\Wtablet\TabUserW.exe
F:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
F:\Program Files\Norton AntiVirus\SAVScan.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\Tablet.exe
F:\Program Files\MSN Messenger\msnmsgr.exe
F:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Messenger\msmsgs.exe
F:\Documents and Settings\AkaAlias\Mijn documenten\Mijn appz\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.dxkqejmrfaycmkzgblnm.com/HS0_b5...uAvfYmuXvxX.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5D7D8312-49F1-4604-F1DB-3AC68D17C4B2} - F:\WINDOWS\system32\qqjphibl.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WinampAgent] F:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [mswspl] F:\DOCUME~1\AkaAlias\LOCALS~1\Temp\searchbarcash.exe
O4 - HKLM\..\Run: [MessengerPlus3] "F:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [ATICCC] "F:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] F:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TaskSwitchXP] F:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
O4 - HKCU\..\Run: [Eusw] F:\Documents and Settings\AkaAlias\Application Data\heab.exe
O4 - HKCU\..\Run: [Clock] F:\WINDOWS\mshepl.exe
O4 - HKCU\..\Run: [Mrall] F:\WINDOWS\system32\w?wexec.exe
O4 - HKCU\..\Run: [MessengerPlus3] "F:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "F:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = F:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: TabUserW.exe.lnk = F:\WINDOWS\system32\Wtablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: messenger.hotmail.com
O15 - Trusted Zone: http://messenger.hotmail.com
O15 - Trusted Zone: loginnet.passport.com
O15 - Trusted Zone: http://loginnet.passport.com
O15 - Trusted Zone: login.passport.net
O15 - Trusted Zone: http://login.passport.net
O15 - Trusted Zone: http://memberservicenet.passport.net
O15 - Trusted Zone: memberservicesnet.passport.net
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095173365062
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {A1A961DA-2BA6-4032-859E-01AC35357163} (One2One Viewer) - http://www.one2one.com/static/class/one2one.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{848F8D7D-7F07-4920-8B13-EF6303A379D7}: NameServer = 209.47.15.118,64.157.143.38,195.121.1.254,195.240.240.254
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect - Symantec Corporation - F:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - F:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - F:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TabletService - Wacom Technology, Corp. - F:\WINDOWS\System32\Tablet.exe

------

I hope you can find the problem in here.
If you have any other idea's on how to fix the problem, don't hessitate to tell me plz!
I'm really stuck on this one, and my headache isn't going down either.

Thank for all the help you can give me!!!

greets,

AkaAlias (Stefan Fincken)

Edited by AkaAlias, 11 January 2005 - 01:45 PM.

Posted Image

BC AdBot (Login to Remove)

 


#2 AkaAlias

AkaAlias
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Location:Roermond, The Netherlands
  • Local time:07:32 AM

Posted 12 January 2005 - 01:41 AM

I've got some new things to be added to the 'things i've tried list':

I've tried deleting the content of the folowing folder's followed by a restart, c://windows/minidump and c://windows/prefetch. No result

I've tried the 'find errors' option of the C:// drive, wich checked and repared any error's on the drive itself. I could use hotmail and msn and gmail again, but only for approx. 5 min.
------

I'm not sure if there's anything else i can do, except for a fresh install of XP...

Any help you can offer would be very much appreciated!

greets,

AkaAlias


------
*edit*

Just a little question here, I have two harddrives in my computer, one of 160 gig and one of 120 gig. Is it possible to transfer all my files to the drive that hasn't got xp on it installed and then doing a fresh install on the xp drive, without losing my files that are on the other drive??

Edited by AkaAlias, 12 January 2005 - 01:47 AM.

Posted Image

#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:32 AM

Posted 15 January 2005 - 05:14 PM

Your infection was most likely installed when you installed Messenger Plus. Its one called LOP.


Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.dxkqejmrfaycmkzgblnm.com/HS0_b5...uAvfYmuXvxX.jsp
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: (no name) - {5D7D8312-49F1-4604-F1DB-3AC68D17C4B2} - F:\WINDOWS\system32\qqjphibl.dll
O4 - HKLM\..\Run: [mswspl] F:\DOCUME~1\AkaAlias\LOCALS~1\Temp\searchbarcash.exe
O4 - HKCU\..\Run: [Eusw] F:\Documents and Settings\AkaAlias\Application Data\heab.exe
O4 - HKCU\..\Run: [Clock] F:\WINDOWS\mshepl.exe
O4 - HKCU\..\Run: [Mrall] F:\WINDOWS\system32\w?wexec.exe
O15 - Trusted Zone: messenger.hotmail.com
O15 - Trusted Zone: http://messenger.hotmail.com
O15 - Trusted Zone: loginnet.passport.com
O15 - Trusted Zone: http://loginnet.passport.com
O15 - Trusted Zone: login.passport.net
O15 - Trusted Zone: http://login.passport.net
O15 - Trusted Zone: http://memberservicenet.passport.net
O15 - Trusted Zone: memberservicesnet.passport.net
O16 - DPF: {A1A961DA-2BA6-4032-859E-01AC35357163} (One2One Viewer) - http://www.one2one.com/static/class/one2one.cab

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

F:\WINDOWS\system32\qqjphibl.dll
F:\Documents and Settings\AkaAlias\Application Data\heab.exe
F:\WINDOWS\mshepl.exe

Reboot your computer to go back to normal mode and post a new log.

#4 AkaAlias

AkaAlias
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Location:Roermond, The Netherlands
  • Local time:07:32 AM

Posted 17 January 2005 - 03:09 AM

Thanks for the reply m8, but i've already reinstalled windows. Now i can make a fresh start. I've followed the instructions on this forum and installed all the virus and spyware detection software and making plenty of restore points while installing new software.. think it's very secure now... I'll hope i can keep my comp clean now.

thanks for the help anyway!!

Edited by AkaAlias, 17 January 2005 - 06:21 AM.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users