Tech Support banner

Status
Not open for further replies.
1 - 8 of 8 Posts

·
Registered
Joined
·
23 Posts
Discussion Starter · #1 ·
hi

My norton 2005 expired and in like 5 minutes i got like 20 warnings about my computer being infected. My homepage is gone. I cant open sites, my desktop has been hijacked by something i cant change and processes like notepad.com turn up in the processes. i ran a full norton scan and nothing turns up..but please can you guys tell me what to deete from this hijack log..

Logfile of HijackThis v1.98.2
Scan saved at 12:11:49 PM, on 10/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\system32\svchop.exe
C:\Program Files\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\shdochop.dll/defaultASX.htm#privacy_API;
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca
F2 - REG:system.ini: Shell=explorer.exe ,svchost.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FH] C:\WINDOWS\system32\svchop.exe home
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.xpres-net.com/wfplayer/tdserver.cab
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://download.mcafee.com/molbin/Shared/ComCtl32/6,0,80,22/ComCtl32.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/11d104eed610c8abac05/netzip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {97AFC0D9-660E-4ACE-B025-46FD64AE335A} (EmailImport.EmailImportControl) - http://www.friendster.com/emailimport/ms/emailimport.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_6us.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll

id reaaalllly appreciate any help..bye :sad:

mk
 

·
Bearded Tech Monkey
Joined
·
1,058 Posts
Hi and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back to address your problem A.S.A.P.

Please Subscribe to this thread, (Thread Tools->Subscribe to this Thread) so that you are notified when a reply has been made.

Please be patient with me during this time.

Thanks,

RavenMind
 

·
Bearded Tech Monkey
Joined
·
1,058 Posts
Hello, mk-niceguy. There are a few things we need to do before I can address the malware in your log.



  1. Update HijackThis

    You are using an outdated version of Hijack This, and I'm not seeing all the entries that should be there. So before we address any entries in the log please delete your old copy of HJT, then download and install the latest version by going to this Site. Please make sure to put it into a permanent folder (the old folder should work).


  2. Scan with SpyBot S&D:

    Download Spybot S&D.
    1. After you have installed it, Click on the Search for Updates button. Install any updates that are available.
    2. Go to the Mode menu and choose Advanced Mode.
    3. Next click on Immunize to your left.
    4. In the ensuing window, Click the Immunize button (green cross) on top to Immunize your computer - you should do this each time there is an update.
    5. Click on the 'Spybot-S&D' option on the top left to go back to the main screen.
    6. Click on the Check for Problems button. Let it run the scan.
    7. If it finds something, Select all those in RED and hit the Fix Selected Problems button.
    8. Exit Spybot.


  3. Scan with AdAware:

    Download and install AdAware SE Personal.
    Some of the settings will need to be changed before your first scan.
    1. Close ALL windows except Ad-Aware SE.
    2. Click on the ‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.
    3. Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window:
      • In the ‘General’ window make sure the following are selected in green:
        • Under [Safety]:
          • Automatically save log-file
        • Automatically quarantine objects prior to removal
        • Safe Mode (always request confirmation)
      • Under [Definitions]:
        • Prompt to update outdated definitions - set the [number of days]
    4. Click on the ‘Scanning’ button on the left and select in green:
      • Under [Driver, Folders & Files]:
        • Scan Within Archives
      • Under Select drives & folders to scan:
        • choose all hard drives
      • Under [Memory & Registry]: all green
        • Scan Active Processes
        • Scan Registry
        • Deep Scan Registry
        • Scan my IE favorites for banned URL’s
        • Scan my Hosts file
    5. Click on the [‘Advanced’] button on the left and select in green:
      • Under [Shell Integration]:
        • Move deleted files to recycle bin
      • Under [Logfile Detail Level]: all green
        • include addtional object information
        • DESELECT - include negligible objects information
        • include environment information
      • Under [Alternate Data Streams]:
        • Don't log streams smaller than 0 bytes
        • Don't log ADS with the following names: [CA_INOCULATEIT]
    6. Click the ‘Tweak’ button and select in green:
      • Under [Scanning Engine]:
        • Unload recognized processes during scanning
        • Scan registry for all users instead of current user only
      • Under [Cleaning Engine]:
        • Let Windows remove files in use at next reboot
      • Under [Log Files]:
        • Include basic Ad-aware SE settings in logfile
        • Include additional Ad-aware SE settings in logfile
        • Please do not Select: Include Module list in logfile
    7. Click on ‘Proceed’ to save the settings.

    Now run a scan:
    1. Click ‘Start’
    2. Choose 'Perform Full System Scan'
    3. DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.
    4. Click ‘Next’ and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.
    5. If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window
    6. Right-click on the list and choose [Select All]
    7. Click the [Next] button to finish removing the items that were found
    8. When finished, REBOOT, to complete the removal of what Ad-Aware SE found


In your next reply, please post the following items:

  1. Fresh HJT log (AFTER updating HJT, & running SpyBot & AdAware)
  2. Anything SpyBot & AdAware found but could not remove.
 

·
Registered
Joined
·
23 Posts
Discussion Starter · #4 ·
did it

hey raven

thanks for your repsonse.

i did what you asked me to. this is the new log. nothing changed after the scans...it found cokies and something called psguard desktop hijacker...bu the stuff is still there and my homepage is now...res://shdochop.dll/blank.html.

this is the new hjt log


Logfile of HijackThis v1.99.1
Scan saved at 5:56:27 PM, on 10/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\system32\svchop.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdochop.dll/blank.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FH] C:\WINDOWS\system32\svchop.exe home
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.xpres-net.com/wfplayer/tdserver.cab
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://download.mcafee.com/molbin/Shared/ComCtl32/6,0,80,22/ComCtl32.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/11d104eed610c8abac05/netzip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {97AFC0D9-660E-4ACE-B025-46FD64AE335A} (EmailImport.EmailImportControl) - http://www.friendster.com/emailimport/ms/emailimport.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_6us.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

...

please help me. thanks
mk
 

·
Bearded Tech Monkey
Joined
·
1,058 Posts
Thank you, I will be back with a response shortly.
 

·
Bearded Tech Monkey
Joined
·
1,058 Posts
Hello, mk. Thank you for being patient while I reviewed your log!

Important: Copy this page into Notepad & save it. You may also want to print out a copy of these instructions in case you are unable to access Notepad during the fix. Make sure to work through the fixes in the exact order they are presented. If there is anything that you don't understand, ask me about it before proceeding with the fixes. It is important to close all browsers (Internet Explorer, My Computer, etc.) or windows when you are running any scans, tools, or HJT.



  1. Enable the viewing of hidden files/folders:

    Go to My Computer > Tools > Folder Options > “View” tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible too.



  2. Reboot into Safe Mode.

    Restart the computer. While it’s booting up, tap the F8 key until a numbered menu appears. Choose “Safe Mode”, press Enter, and Windows will continue to load.



  3. HiJackThis Entries:

    Run a scan in HijackThis. Place a check mark next to the following entries if they still exist:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdochop.dll/blank.html
    O4 - HKLM\..\Run: [FH] C:\WINDOWS\system32\svchop.exe home
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/11d104e...ip/RdxIE601.cab

    Please make sure to close all open windows & browsers, then click Fix Checked.



  4. File Deletions:

    Delete the following FILES indicated in RED, if they still exist:

    shdochop.dll
    C:\WINDOWS\system32\svchop.exe



  5. Online Scan:

    Perform an online scan with Internet Explorer with Kaspersky WebScanner

    Next Click on Launch Kaspersky Anti-Virus Web Scanner

    You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT
    • Now click on Scan Settings
    • In the scan settings make that the following are selected:
      • Scan using the following Anti-Virus database:
      • Standard
      • Scan Options:
      • Scan Archives
        Scan Mail Bases
    • Click OK
    • Now under select a target to scan:
      • Select My Computer
    • This will program will start and scan your system.
    • The scan will take a while so be patient and let it run.
    • Once the scan is complete it will display if your system has been infected.
      • Now click on the Save as Text button:
    • Save the file to your desktop.
    • Copy and paste that information in your next post.
    Take note the names and locations of any file it detects but fails to clean.

    * Turn off the real time scanner of any existing antivirus program (Norton) while performing the online scan




  6. Reboot into Normal Mode.


Please post the following items in your next reply:
  1. Fresh HJT log
  2. Results of the Kaspersky scan
 

·
Registered
Joined
·
23 Posts
Discussion Starter · #7 ·
done

Logfile of HijackThis v1.99.1
Scan saved at 1:18:56 PM, on 10/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\hijack\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.xpres-net.com/wfplayer/tdserver.cab
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://download.mcafee.com/molbin/Shared/ComCtl32/6,0,80,22/ComCtl32.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {97AFC0D9-660E-4ACE-B025-46FD64AE335A} (EmailImport.EmailImportControl) - http://www.friendster.com/emailimport/ms/emailimport.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_6us.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

..


when i was in safe mode the sdchdoc.dll thing didnt show up...but hen i got back in normal mode it was right there ...and i deleted it and my homepage is no longer that junk site...but my desktop is still hijacked and isnt changing from some adware advertisement link. heres the scan log

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Sunday, October 23, 2005 16:18:22
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 23/10/2005
Kaspersky Anti-Virus database records: 146419
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 80241
Number of viruses found: 15
Number of infected objects: 21
Number of suspicious objects: 0
Duration of the scan process: 8447 sec

Infected Object Name - Virus Name
C:\Program Files\hijack\backups\backup-20050102-003630-597-Windows Timer.hta Infected: Trojan-Downloader.VBS.Psyme.be
C:\Program Files\hijack\backups\backup-20051020-033226-617-OSA.exe Infected: Trojan-Downloader.Win32.Delf.ks
C:\Program Files\Internet Explorer\unwspa.exe Infected: Trojan-Dropper.Win32.Small.oa
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\28392067.exe Infected: Trojan-Downloader.Win32.Small.jl
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2F6824DB.XLS Infected: Email-Worm.Win32.Blebla.b
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\38475AF2.cla Infected: Trojan.Java.ClassLoader.b
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\385A56DD.dll Infected: Virus.Win32.Nsag.b
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\388578AE.zip/a.class Infected: Trojan.Java.ClassLoader.b
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\388578AE.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\388578AE.zip/VerifierBug.class Infected: Trojan.Java.ClassLoader.u
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\388578AE.zip Infected: Trojan.Java.ClassLoader.u
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\388B4CA7.cla Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\388F76A3.exe Infected: Trojan-Dropper.Win32.Agent.ta
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\389C1E95.cla Infected: Trojan.Java.ClassLoader.u
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\389C1E95.exe Infected: Trojan-Downloader.Win32.Small.bho
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\52EE043E.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\52F12E3A.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\537C0BA3.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\645D6889.exe Infected: Trojan.Win32.StartPage.qp
C:\WINDOWS\system32\oleext.dll Infected: Trojan.Win32.Small.ev
C:\WINDOWS\uninstIU.exe Infected: Trojan.Win32.Small.ev

Scan process completed.
...

i deleted the stuff in my norton quarantine backups...but other than that..i still dont know why my desktop is still screwed up..things run slow now too..please help.

mk
 

·
Bearded Tech Monkey
Joined
·
1,058 Posts
  1. Downloads

    Download smitRem.exe and save the file to your desktop.
    Double click on the file to extract it to it's own folder on the desktop.


    Please download the trial version of Ewido Security Suite here:
    http://www.ewido.net/en/download/


    Please read Ewido Setup Instructions
    Install it, and update the definitions to the newest files. Do NOT run a scan yet.



  2. Reboot into Safe Mode:

    Next, please reboot your computer in SafeMode by doing the following:
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
    • Instead of Windows loading as normal, a menu should appear
    • Select the first option, to run Windows in Safe Mode.



  3. HJT Fixes:

    Now scan with HJT and place a checkmark next to each of the following items and click FIX CHECKED:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing

    Close HiJackThis.



  4. SmitRem:

    Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
    Wait for the tool to complete and disk cleanup to finish.

    The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.




  5. Ewido:

    Run Ewido:
    • Click on scanner
    • Click on Complete System Scan and the scan will begin.
    • NOTE: During some scans with ewido it is finding cases of false positives.
    • You will need to step through the process of cleaning files one-by-one.
    • If ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • If you are unsure of any entry found select none for now.
    • When the scan is finished, click the Save report button at the bottom of the screen.
    • Save the report to your desktop
    Close Ewido



  6. Desktop Security:

    Next go to Control Panel (Start > Settings). Click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.



  7. File Deletions:

    Delete the following FILES indicated in RED, if they still exist:

    C:\Program Files\Internet Explorer\unwspa.exe
    C:\WINDOWS\uninstIU.exe



  8. Online Scan:
    Now, using Internet Explorer, do an online scan at Panda ActiveScan.
    1. Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it
    2. Click On 'Next'
    3. Enter your e-mail address & click 'Send' ...begins downloading Panda's ActiveX controls.- 8MB
    4. In the next window, & checkmark the following:
      • Disinfect automatically
      • Scan compressed files
      • Scan e-mail files
      • Detect unknown viruses (heuristic)
      • Detect spyware
    5. Begin the scan by selecting All My Computer
      * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
    6. If it finds any malware, it will offer you a report. Click on see report
    7. Then click Save report
    8. Post the contents of the report in your next reply




Please post the following in your next reply:

  1. Panda scan report
  2. New HJT log, run in Normal Mode
  3. smitfiles.txt, copy & pasted into the thread
  4. Ewido log, copy & pasted into the thread
  5. If you're still experiencing any problems
 
1 - 8 of 8 Posts
Status
Not open for further replies.
Top