Tech Support banner

Status
Not open for further replies.
1 - 4 of 4 Posts

·
Registered
Joined
·
2 Posts
Discussion Starter #1
I hope I'm doing the right thing here... I tried to follow the instructions but, I could not find the "posting" place (if this is not it)... please see my HJT log...
====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 4:20:37 AM, on 11/5/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\Program Files\arau\utap.exe
C:\PROGRA~1\eBlocs\SpyBlocs\GLF25.exe
C:\WINDOWS\system32\j?vaw.exe
C:\Documents and Settings\Danel Saavedra\My Documents\Applications\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sp/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Rogers Hi-Speed Internet
F2 - REG:system.ini: Shell=
O2 - BHO: (no name) - {01BE998F-0B42-25E1-4203-5B806E7FB49D} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {21C478B9-BA2F-90AF-2558-CCCE66E5B8BF} - C:\WINDOWS\System32\eadtbu.dll
O2 - BHO: (no name) - {6FFCFDEC-3529-4BFD-2B70-4EB60145F6BE} - (no file)
O2 - BHO: (no name) - {8B11A219-80C8-4B42-B558-B8C14D1AA8C4} - (no file)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: RHSI Toolbar - {4DF5B116-4FD9-4039-B377-1130953A980F} - C:\Program Files\Rogers Hi-Speed Internet\RHSI Toolbar\ToolBand.dll
O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [SpyBlocs] C:\Program Files\eBlocs\SpyBlocs\GLF25.exe
O4 - HKCU\..\Run: [Dlpo] "C:\Program Files\arau\utap.exe" -vt mt
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Rogers Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Rogers &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/02ebae9da469515d7720/netzip/RdxIE601.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe


End of KRC HijackThis Analyzer Log.
====================================================================

Thanks...
 

·
Bearded Tech Monkey
Joined
·
1,058 Posts
Hi and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back to address your problem A.S.A.P.

Please Subscribe to this thread, (Thread Tools->Subscribe to this Thread) so that you are notified when a reply has been made.

Please be patient with me during this time.

Thanks,

RavenMind
 

·
Bearded Tech Monkey
Joined
·
1,058 Posts
Hello, elausente. Thank you for being patient while I reviewed your log!

Important: Copy this page into Notepad & save it. You may also want to print out a copy of these instructions in case you are unable to access Notepad during the fix. Also if any programs or tools are recommended for download, please do so prior to rebooting into Safe Mode.


  1. Enable the viewing of hidden files/folders:

    Go to My Computer > Tools > Folder Options > “View” tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible too.



  2. Reboot into Safe Mode.

    Restart the computer. While it’s booting up, tap the F8 key until a numbered menu appears. Choose “Safe Mode”, press Enter, and Windows will continue to load.



  3. End Running Processes:

    Make sure to close any open browsers. Go into HijackThis and click Config > Misc. Tools > Open Process Manager
    Select the following, and click Kill Process for each one that is still listed:

    C:\Program Files\arau\utap.exe
    C:\PROGRA~1\eBlocs\SpyBlocs\GLF25.exe
    C:\WINDOWS\system32\j?vaw.exe



  4. Program Removals:

    Uninstall the following via “Add/Remove”, if they still exist. (Start > Settings > Control Panel > Add/Remove Programs)

    SpyBlocs - This program is considered rogueware and should be uninstalled. Rogue or Suspect means that these products are of unknown, questionable, or dubious value as anti-spyware protection, and may actually contain adware/spyware. Please see the listing for SpyBlocs here for more information.



  5. HiJackThis Entries:

    Run a scan in HijackThis. Place a check mark next to the following entries if they still exist:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.red.clientapps.yahoo.com/...//www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.red.clientapps.yahoo.com/...//www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    F2 - REG:system.ini: Shell=
    O2 - BHO: (no name) - {01BE998F-0B42-25E1-4203-5B806E7FB49D} - (no file)
    O2 - BHO: (no name) - {21C478B9-BA2F-90AF-2558-CCCE66E5B8BF} - C:\WINDOWS\System32\eadtbu.dll
    O2 - BHO: (no name) - {6FFCFDEC-3529-4BFD-2B70-4EB60145F6BE} - (no file)
    O4 - HKCU\..\Run: [SpyBlocs] C:\Program Files\eBlocs\SpyBlocs\GLF25.exe
    O4 - HKCU\..\Run: [Dlpo] "C:\Program Files\arau\utap.exe" -vt mt

    Please make sure to close all open windows & browsers, then click Fix Checked.



  6. File Deletions:

    Delete the following FILES indicated in RED and FOLDERS indicated in BLUE, if they still exist.
    • NOTE: If the full path to the file is not listed, then you should do a Search. (”Start” > “Search” > “For files or folders…” > “All files & folders”)

    C:\WINDOWS\System32\eadtbu.dll
    C:\Program Files\eBlocs
    C:\Program Files\arau



  7. FindFile:

    There is a suspicious entry in your log that appears to be attempting to hide itself from us. The following procedure will help us identify this file & determine if it needs to be removed.

    • Launch Notepad
    • Copy/paste the contents of the box below into a new text file.

      dir C:\WINDOWS\system32\j?vaw.exe /a h > files.txt
      notepad files.txt
    • Save it to your Desktop with the name "FindFile.bat", as file type "all Files".
    • Locate FindFile.bat on your Desktop and double-click on it.
      It will open Notepad with some text in it.
    • Paste the contents of that file here.



  8. Reboot into Normal Mode.



  9. Online Scan:

    Using Internet Explorer, perform an online scan with Kaspersky WebScanner:

    Be sure to turn off the real-time scanner of any existing antivirus program while performing the online scan. (Norton)

    • Click on “Launch Kaspersky Anti-Virus Web Scanner
    • Click Yes when prompted to install an ActiveX component.

      The program will launch, and begin downloading the definitions.

    • Click “NEXT” once the files have been downloaded.
    • Now click on Scan Settings:

    • Select the following under Scan Settings:
      • Scan using the following Anti-Virus database:
        • Standard
      • Scan Options:
        • Scan Archives
          Scan Mail Bases
    • Click OK
    • Now, under Select a Target to Scan:
      • Select My Computer

      This will start the system scan. (It may take a while, so please be patient)

    Once the scan is complete it will tell you if your system has been infected.
    • Click on the Save as Text button.
    • Save the file to your desktop. (We will need it later)


  10. Windows Updates:

    IMPORTANT!:

    Before we can proceed any further, please visit the Microsoft's Windows Update Page and install ALL Critical Updates for your system (except service pack 2) (SP2). SP2 should only be installed on a fully disinfected system. At the minimum install at least SP1a for both XP and IE6. Without these updates your system is wide open to re-infection and we are both wasting our efforts to clean your system. After we have completed your clean-up, we will have you return to the Windows Update page and install SP2. We will also then advise you on how to better protect yourself online.

    Please apply those updates BEFORE posting your next log. It is this forum's policy to stop the disinfection process until these basic updates are done. If during the updating process you get a message that your product key is invalid ....then you may not have a legitimate copy of Windows XP. Unfortunately it’s also this forums policy that we only address users with a legal copy of Windows XP.... therefore if you can not update Windows XP to SP1 we must stop the cleansing process here.


    Thank you for your cooperation.



Please post the following items in your next reply:
  1. Fresh HJT log, run in Normal Mode
  2. Results of the FindFile.bat
  3. Kaspersky scan results
  4. If you are still experiencing problems
 
1 - 4 of 4 Posts
Status
Not open for further replies.
Top