Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Plz Check My HiJackThis Log - Suspected Bug

Status
Not open for further replies.
imsohood8424

imsohood8424

Programmer
Apr 2, 2004
14
US
Hi, for some reason I have reason to believe that a bug is on my computer, I would greatly appriciate if someone can help me out with my HiJackThis Log. I ran this after I ran SpyBot & AdAware (both updated).

Thanks SO much in advance:

Logfile of HijackThis v1.97.2
Scan saved at 11:40:19 PM, on 4/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\Program Files\Norton AntiVirus2\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot_AdWare\SpybotSD.exe
C:\Documents and Settings\Karunya\Desktop\Unused Desktop Icons\HiJackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus2\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus2\NavShExt.dll
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Pop-Up Stopper Companion\popupus.dll
O4 - HKLM\..\RunServices: [Configuration Loader] configldr.exe
O4 - HKLM\..\RunServices: [Win l5oahder] winampa.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: RealSecure(r) Desktop Protector.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
 
Sort by date Sort by votes
These two items are both dodgy, I would disable system restore first, remove these items with HijackThis then run a full virus scan over the PC.

O4 - HKLM\..\RunServices: [Configuration Loader] configldr.exe
O4 - HKLM\..\RunServices: [Win l5oahder] winampa.exe

Once the virus scan has cleaned everything it has found, re enable system restore and reboot.

John
 
Upvote 0 Downvote
You shouldn't run hijack this from your desktop, better practice is to put into it's own folder for a more accurate result!

pech
 
Upvote 0 Downvote
Wow, after I ran this HiJackThis, the next day (today) I ran Norton AntiVirus and found two adawares on my C Drive, and two viruses. It cleaned out the viruses through Quarantine, but it said 'Delete Failed' and asked me if I should exclude these from future scans. Anyone have any comments on these two, or have had them.

cd client.dll
iic385.exe

Appriciate it..., J.C.

 
Upvote 0 Downvote
Hello

Did you disable system restore first? This is most likely to be the reason that stops the files getting deleted, if they have gone into the system restore folder.
Go to start -> right click My computer -> properties -> system restore tab and untick "Enable system restore on all drives" and acknowledge all the warnings you will get, then run a full scan with your norton.
After that, empty the quarantine folder and re enable system restore.

John
 
Upvote 0 Downvote
Thanks John, well I ran Norton Antivirus this time with System Restore off and this type the two bugs that came up last time did not come up. Last time it said it did not delete it. Well, hopefully they are gone, I opened up the Norton AntiVirus\Quarantine and deleted two files which had numbers as their file names and deleted those.

I wasn't sure about navntutle.dll, incoming, portal so I just left those.

Thanks again for everybody's help on this.
 
Upvote 0 Downvote
Since no-one is gonna ask..I will

the entry "C:\Program Files\Spybot_AdWare\SpybotSD.exe"

I never seen Spybot install to a directory like that, and where is the usual SDHelper.dll that would also show in the HiJackThis log as a BHO?

Maybe you did this on purpose or maybe you got some bogus version of Spybot, but I would look into it.
 
Upvote 0 Downvote
Create a directory under "My Documents" called HijackThis and install the exe file there - Do not run it from the desktop.

Close all IE windows and delete the following entries in HijackThis:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

DO NOT delete:
O4 - HKLM\..\RunServices: [Win l5oahder] winampa.exe
But rather right click on the winamp agent icon in your system tray and select "Disable Winamp Agent". This maintains file associations and resets them back to winamp.

This entry:
O4 - HKLM\..\RunServices: [Configuration Loader] configldr.exe
is a virus - Check here for removal instructions:
 
Upvote 0 Downvote
Hi, it took me a while but I believe I got out all the bugs and the viruses that were harming my system. Can someone please check this over For some reason I've been getting windows pop-ups so I'm pretty sure I haven't taken out everything, but it's fewer which is good...Again, appreciate everybody's help on this one, thanks again...

Logfile of HijackThis v1.97.2
Scan saved at 1:30:50 PM, on 4/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Customizer XP\RAM_2K.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ZONEAL~2\zlclient.exe
C:\WINDOWS\System32\iefeatures.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Direct Connect\DC++\DCPlusPlus.exe
C:\Documents and Settings\Karunya\My Documents\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RAM Idle] C:\Program Files\Customizer XP\RAM_2K.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSVersion] C:\WINDOWS\System32\iefeaturesversion.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONEAL~2\zlclient.exe
O4 - HKLM\..\Run: [iefeatures] C:\WINDOWS\System32\iefeatures.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
 
Upvote 0 Downvote
iefeatures is a program for downloading other spyware. There are two instances of it:

O4 - HKLM\..\Run: [MSVersion] C:\WINDOWS\System32\iefeaturesversion.exe

O4 - HKLM\..\Run: [iefeatures] C:\WINDOWS\System32\iefeatures.exe

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

RAM_2K.exe I haven't been able to positively identify as any particular application, but other than that, it looks clean.

John
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

shivajiboss
  • Locked
  • Question
I am getting a problem while opening up my windows
Replies
1
Views
161
2ffat
2ffat
JordanWitthoft
  • Locked
  • Question
Software to check suspicious links
Replies
2
Views
101
MakeItSo
MakeItSo
waikhu
  • Locked
  • Question
Somebody help me out, when my pc st
Replies
3
Views
88
kjv1611
kjv1611
electricpete
  • Locked
  • Question
ComboFix log 2
Replies
15
Views
285
electricpete
electricpete
1DMF
  • Locked
  • Question
How do drive by virus arbitarily execute code on my machine? 3
Replies
14
Views
185
thefarg
thefarg

Part and Inventory Search

Sponsor

Back
Top