Tech Support Forum - View Single Post - Log File help

BigEv · 03-20-2005, 09:38 PM

I was definetely hijacked in IE. Start page went to about-blank and unwanted popups happened. I have fixed a number of items via HijackThis but I can't get rid of *.frame.crazywinnings.com in the trusted zone (O15). I tried to delete this URL in the IE6 tools menu and via HijackThis with no success. CWS items were also found and deleted by Ad-Aware and CounterSpy Among other problems ADDHB.EXE and SYSBH.EXE were found and deleted. In addition, R0, R1 and R3 itmes initially showed on the HijackThis log. Normally I use Netscapte 7.2 but sometimes IE6 is necessary for compatibilaty reasons. My system(Win98SE) is working OK right now but I am afraid to use IE6 again until I am entirely clean.

I have done the following steps:

-Ad-aware in in safe mode
-Spybot S&D (Tea Timer is now inactive)
-TrendMicro Online Scan
- Symantic antivirus (corporate version)
- CounterSpy (active protection is now disabled is now disabled)
- Removed MS Java VM
- CWSchredder

Than for considering this problem,

BigEv

Here is the log using KRC HijackThis Analyzer.
H====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SUNASDTSERV] C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.98.2
Scan saved at 8:21:47 PM, on 3/20/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\PROGRAM FILES\NETSCAPE\NETSCAPE 6\NETSCP.EXE
C:\WINDOWS\SYSTEM\MSCONFIG.EXE

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\evan\prefs.js)
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NVMCTRAY.DLL,NvTaskbarInit
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...a/LSSupCtl.cab

End of KRC HijackThis Analyzer Log.
====================================================================

03-20-2005, 09:38 PM	#1 (permalink)
BigEv Registered User Join Date: Mar 2005 Posts: 2 OS: Win98	Log File help - can't fix O15 I was definetely hijacked in IE. Start page went to about-blank and unwanted popups happened. I have fixed a number of items via HijackThis but I can't get rid of .frame.crazywinnings.com in the trusted zone (O15). I tried to delete this URL in the IE6 tools menu and via HijackThis with no success. CWS items were also found and deleted by Ad-Aware and CounterSpy Among other problems ADDHB.EXE and SYSBH.EXE were found and deleted. In addition, R0, R1 and R3 itmes initially showed on the HijackThis log. Normally I use Netscapte 7.2 but sometimes IE6 is necessary for compatibilaty reasons. My system(Win98SE) is working OK right now but I am afraid to use IE6 again until I am entirely clean. I have done the following steps: -Ad-aware in in safe mode -Spybot S&D (Tea Timer is now inactive) -TrendMicro Online Scan - Symantic antivirus (corporate version) - CounterSpy (active protection is now disabled is now disabled) - Removed MS Java VM - CWSchredder Than for considering this problem, BigEv Here is the log using KRC HijackThis Analyzer. H==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05 Get updates at http://www.greyknight17.com/download.htm#programs Security Programs Detected* C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.EXE O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [SUNASDTSERV] C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.exe O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.98.2 Scan saved at 8:21:47 PM, on 3/20/05 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\PROGRAM FILES\NETSCAPE\NETSCAPE 6\NETSCP.EXE C:\WINDOWS\SYSTEM\MSCONFIG.EXE N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\evan\prefs.js) O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NVMCTRAY.DLL,NvTaskbarInit O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O15 - Trusted Zone: *.frame.crazywinnings.com O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...a/LSSupCtl.cab End of KRC HijackThis Analyzer Log. ====================================================================