Jump to content


Photo

Need Help with Hijack This Log


  • Please log in to reply
6 replies to this topic

#1 Tatootie

Tatootie

    Member

  • New Member
  • Pip
  • 3 posts

Posted 11 July 2004 - 11:25 AM

Im trying to help out a friend . She had 3 viruses, and managed to delete/fix 2 of them. She says she still has one, but I am unable to find anything using NAV, and Ive also tried online scanners, all the Spyware programs, etc.
Her computer seems to run ok, except for it seems to restart on Windows Xp updates. Also, it seems to be playing various windows .wav files randomly, whenever something is loading (like the sounds you hear when youve received emails, etc)
Below is the Hijack This log - Im hoping someone can see something that doesnt belong! Thx in advance

Logfile of HijackThis v1.97.7
Scan saved at 12:09:39 PM, on 7/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\toshiba\sysstability\tsyssmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Siemens\SpeedStream Wireless PCMCIA\SSPCCfg.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Documents and Settings\barbara johnston\Desktop\NewDrivers\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adelphiapowerpage.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Siemens SpeedStream Wireless PCMCIA.lnk = C:\Program Files\Siemens\SpeedStream Wireless PCMCIA\SSPCCfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: Pop Fu by pogo - http://popfu.pogo.co...u-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://squelchies.po...s-ob-assets.cab
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://mx253.sb03.co...ontpop_test.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0309.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7868.4361574074
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...es/abasetup.cab


peace

#2 Nuke&Pave

Nuke&Pave

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 11 July 2004 - 11:35 AM

She says she still has one


The problem with the last "virus" may be an organic one. What are her symptoms? Please don't think I'm being rude, I get a lot of virus calls that end up being broken scripting hosts or trashed registries.


{edit} Ignore evrything I just said. I seem to be experiencing a reading problem. :whistle:

Note: People whose Group is 'Member' have no standing as helpers, and their advice should be regarded sceptically. We try to catch and fix anything dangerous, misleading, or inadequate, but can't always get there in time.


Edited by Nuke&Pave, 11 July 2004 - 11:37 AM.

I suggest you turn off the computer, burn down the house, and run for your life.

#3 Tatootie

Tatootie

    Member

  • New Member
  • Pip
  • 3 posts

Posted 11 July 2004 - 11:42 AM

The computer keeps restarting during XP updates. Shes got 18 critical updates that need to go in, but during install, it restarts. Right before the restart, there's an error screen - cant seem to read it, because its only there for 1/2 second. I saw something referring to the regestry though.
Also, it will restart during other installs - did it to me a little while ago while trying to install one of the spyware removers.

peace

#4 Nuke&Pave

Nuke&Pave

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 11 July 2004 - 12:01 PM

Have you tried getting the updates one at a time? If there is one update (or a type of update) that causes the reboot/error screen to happen, that might be a clue.

Silly as it sounds, clear %temp% first. Installation errors love to come from here.

Forgive me if you already know the following:

%temp% is where installation packages hang out. If this has LOTS of files, you can run into problems much like this one.

Start------>Run. type %temp%. (Edit: include the % signs)
Select all-------> Delete


This assumes the random sounds issue is unrelated, however.


As always (because I have no idea if I'm a moron or someone saying something useful), heed the following;

Note: People whose Group is 'Member' have no standing as helpers, and their advice should be regarded sceptically. We try to catch and fix anything dangerous, misleading, or inadequate, but can't always get there in time.


Edited by Nuke&Pave, 11 July 2004 - 12:06 PM.

I suggest you turn off the computer, burn down the house, and run for your life.

#5 Tatootie

Tatootie

    Member

  • New Member
  • Pip
  • 3 posts

Posted 11 July 2004 - 12:17 PM

I tried what you suggested (deleted %temp%), then tried one update at a time - and it restarted with the same screen mesage (which I cannot read - too quick!) right after trying to install the first update - man I am so confused!!
How does the hijack file look? Any other suggestions?

peace

#6 Nuke&Pave

Nuke&Pave

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 11 July 2004 - 06:50 PM

I'm afraid that I recognize everything listed in HJT as legit.


I think you may be looking at something pretty serious at this point. My hope is that this message "bumps" this because of the following:

I recomend a reformat. I'd like to know the names of the viruses the machine had previously. Depending on the kind of damage they do, the OS may be toast.

The reason I'm hoping the bump here helps is that maybe there is someone who can offer an alternative I haven't thought of. I'll let that serve as the "I'm a newbie to this place" message I've been posting.


If you know the names, please post 'em. If not . . . +thank you, end call
I suggest you turn off the computer, burn down the house, and run for your life.

#7 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,305 posts

Posted 14 July 2004 - 11:08 PM

This is bad and needs to be fixed... Please close all open browsers and windows, open HJT and mark/fix:

O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://mx253.sb03.co...ontpop_test.cab

Then please download the new version of HJT and run a fresh log after a reboot... You can get it from the link in my signature below.... Post the new log here so we can make sure it is clean...
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button