Author Topic: Need Help on My Hijack Virus Log File (Read 3596 times)

guestolo · « **Reply #20 on:** January 25, 2005, 11:11:38 PM »

Quote

since I don't have a legitimate version of Windows installed

Make sure that if you don't have a third party firewall installed
You at minimum enable XP's firewall

Ensure that you installed SpywareBlaster and IE-Spyad

Scan everything that you download with your Anti-Virus
Make sure your AV is always kept up to date

I would also install SpywareGuard for Real time protections against Spyware
http://www.javacoolsoftware.com/spywareguard.html
DON'T install this yet, as it can deter from removing that leftover BHO

Can you do me a favor
Could you please go to this link
http://www.billsway.com/vbspage/ and scroll down to
Registry Search Tool
Download,UNZIP and run "RegSrch.vbs" >>Allow this to run, even if prompted from your AV
Copy and paste this in the dialog box:
{49370EE5-C91C-33ED-07BE-B72A45CA6F68}

Hit OK
After a while a prompt will come up.(About 10 seconds) Click OK to write the results to wordpad or notepad and post them

homepham · « **Reply #21 on:** January 26, 2005, 02:39:23 AM »

Hi Guestolo,

I followed your instructions and ran Registy Search Tool twice but it couldn't find the instance of string {49370EE5-C91C-33ED-07BE-B72A45CA6F68}

Last night, I used Windows search tool searching for this string in C: drive. The tool ran for whole night. I stopped it in the morning.

It's strange!

Please advise! Thanks again for your helps.

guestolo · « **Reply #22 on:** January 26, 2005, 06:40:14 PM »

Would you mind posting a fresh hijackthis log

There is no file related to the BHO, so it's just a left over Registry string
Not doing no harm, just wonder why we can't remove it

If you get any warning from any Security related program that something is making a change, allow the change

Guest · « **Reply #23 on:** January 27, 2005, 01:00:31 AM »

Hi Guestolo,

Thanks again for helping me cleaning up these viruses.

The log file starts from here:
==========================

Logfile of HijackThis v1.99.0
Scan saved at 8:42:34 PM, on 1/26/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\anti-virus\Norton AntiVirus\navapsvc.exe
C:\Program Files\anti-virus\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.m-w.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {49370EE5-C91C-33ED-07BE-B72A45CA6F68} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\ANTI-V~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\anti-virus\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\ANTI-V~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Iomega Automatic Backup] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\anti-virus\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\anti-virus\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
=====================

The log file ends here:

Thank you.

guestolo · « **Reply #24 on:** January 27, 2005, 07:29:59 PM »

The log looks good, all except for that BHO with file missing

Since we couldn't find it with RegSrch or your own search I'm convinced that SpySweeper is still getting in the way
I don't have SpySweeper, there must be an option to Disable it's Real time protection
Restart your computer >> Ensure Spysweeper isn't running, you can check with another scan with Hijackthis
Fix this entry with Hijackthis
O2 - BHO: (no name) - {49370EE5-C91C-33ED-07BE-B72A45CA6F68} - (no file)
Restart your computer

And then enable Spysweeper again

Let me know how that works for you

But everything else looks good

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

homepham · « **Reply #25 on:** January 28, 2005, 03:01:39 AM »

Hi Guestolo,

Thanks again for helping me dealing with viruses!

I followed your instructions exactly. However, I found that there is no chance. Here is the fresh log file.

=============================
Logfile of HijackThis v1.99.0
Scan saved at 10:45:35 PM, on 1/27/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\anti-virus\Norton AntiVirus\navapsvc.exe
C:\Program Files\anti-virus\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.m-w.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {49370EE5-C91C-33ED-07BE-B72A45CA6F68} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\ANTI-V~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\anti-virus\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\ANTI-V~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Iomega Automatic Backup] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\anti-virus\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\anti-virus\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

=============================
Thank you.

guestolo · « **Reply #26 on:** January 28, 2005, 03:03:35 AM »

Let me scratch my head over this for the weekend

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/laugh.gif\' class=\'bbc_emoticon\' alt=\':lol:\' />

If I can figure out something I'll post back

But before I leave for the night

Can you open Spybot>>>Mode>>advanced mode>>>
Tools>>BHO's
Is it listed there?
If it is can you find any info on it?

Guest · « **Reply #27 on:** January 28, 2005, 03:27:33 AM »

Hi Guestolo,

Please do not pull your hair! There is no such thing perfect in this world.
I'm happy with my computer now in regarding to virues free.

You have helped me so much dealing with the viruses on my computer. Without your help I would have to reformat the drive already. I almost would do so. However, I would like to learn something new from you so that I can communicate with you better in the future if my computer gets hit by virus again.

There are a few thing that you advised me by down loading free virus protection. I haven't done that. I'll do that in the next couple days.

From now on, I'll sometimes visit this web site just to admire you for all of your replies to others to feel that there are someone with good heart out there.
Your help is greatly appreciated! Thanks for your time and efforts. I respect your experty! and ofcourse, you are a good guy!

Best Regards,

Homepham

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Guest · « **Reply #28 on:** January 28, 2005, 03:47:48 AM »

Hi Guestolo,

You're right on!
========================================
Can you open Spybot>>>Mode>>advanced mode>>>
Tools>>BHO's
Is it listed there?
========================================

Yes, I found the entry in there. Please instruct me what should I do with it.

================================
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
BHO name:
CLSID name: AcroIEHlprObj Class
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\
Long name: AcroIEHelper.dll
Short name: ACROIE~1.DLL
Date (created): 11/3/2003 1:17:44 PM
Date (last access): 1/27/2005 11:08:20 PM
Date (last write): 11/3/2003 1:17:44 PM
Filesize: 54248
Attributes: archive
MD5: FC7850324464E4D19A24A03D882B5CC4
CRC32: 452E8571
Version: 0.6.0.0

{49370EE5-C91C-33ED-07BE-B72A45CA6F68} ()
BHO name:
CLSID name:

{53707962-6F74-2D53-2644-206D7942484F} ()
BHO name:
CLSID name:
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\ANTI-V~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 5/12/2004 12:03:00 AM
Date (last access): 1/27/2005 11:08:50 PM
Date (last write): 5/12/2004 12:03:00 AM
Filesize: 744960
Attributes: archive
MD5: ABF5BA518C6A5ED104496FF42D19AD88
CRC32: 5587736E
Version: 0.1.0.3

{BDF3E430-B101-42AD-A544-FADC6B084872} (CNavExtBho Class)
BHO name:
CLSID name: CNavExtBho Class
description: Norton Antivirus
classification: Legitimate
known filename: NavShExt.dll
info link: http://www.symantec.com/nav/nav_9xnt/
info source: TonyKlein
Path: C:\Program Files\anti-virus\Norton AntiVirus\
Long name: NAVSHEXT.DLL
Short name:
Date (created): 7/4/2004 4:47:16 PM
Date (last access): 1/27/2005 11:08:20 PM
Date (last write): 11/14/2002 11:09:06 PM
Filesize: 112248
Attributes: archive
MD5: 988409CE6ED638AAFDBECFB6EC863F4F
CRC32: 04DD2C8F
Version: 0.9.0.5

{BDF3E430-B101-42AD-A544-FADC6B084872} (CNavExtBho Class)
BHO name:
CLSID name: CNavExtBho Class
description: Norton Antivirus
classification: Legitimate
known filename: NavShExt.dll
info link: http://www.symantec.com/nav/nav_9xnt/
info source: TonyKlein
Path: C:\Program Files\anti-virus\Norton AntiVirus\
Long name: NAVSHEXT.DLL
Short name:
Date (created): 7/4/2004 4:47:16 PM
Date (last access): 1/27/2005 11:08:20 PM
Date (last write): 11/14/2002 11:09:06 PM
Filesize: 112248
Attributes: archive
MD5: 988409CE6ED638AAFDBECFB6EC863F4F
CRC32: 04DD2C8F
Version: 0.9.0.5

{BDF3E430-B101-42AD-A544-FADC6B084872} (CNavExtBho Class)
BHO name:
CLSID name: CNavExtBho Class
description: Norton Antivirus
classification: Legitimate
known filename: NavShExt.dll
info link: http://www.symantec.com/nav/nav_9xnt/
info source: TonyKlein
Path: C:\Program Files\anti-virus\Norton AntiVirus\
Long name: NAVSHEXT.DLL
Short name:
Date (created): 7/4/2004 4:47:16 PM
Date (last access): 1/27/2005 11:08:20 PM
Date (last write): 11/14/2002 11:09:06 PM
Filesize: 112248
Attributes: archive
MD5: 988409CE6ED638AAFDBECFB6EC863F4F
CRC32: 04DD2C8F
Version: 0.9.0.5
========================================

Thanks

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

guestolo · « **Reply #29 on:** January 28, 2005, 02:14:52 PM »

Just by chance will Spybot allow you to left click and Highlight

{49370EE5-C91C-33ED-07BE-B72A45CA6F68} ()
BHO name:
CLSID name:

and then use the Remove button to remove it?

You may still have to have SpySweepers protection disabled

Restart your computer
If you do another scan with hijackthis is it gone?

By the way, the two programs I recommended installing
SpywareBlaster and IE-Spyad>>both free
They're not really Virus protection
Consider them both Silent Spyware Blockers
They don't run in the background
Both put entries in your Registry>>>They're both worth using

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

SpywareGuard is the only one that uses minimal resources
If you install it --- Check for updates>>>It doesn't and won't update that much but check for updates once a month anyways

TheTechGuide Forum

News:

Author Topic: Need Help on My Hijack Virus Log File (Read 3596 times)

guestolo

Need Help on My Hijack Virus Log File

homepham

Need Help on My Hijack Virus Log File

guestolo

Need Help on My Hijack Virus Log File

Guest

Need Help on My Hijack Virus Log File

guestolo

Need Help on My Hijack Virus Log File

homepham

Need Help on My Hijack Virus Log File

guestolo

Need Help on My Hijack Virus Log File

Guest

Need Help on My Hijack Virus Log File

Guest

Need Help on My Hijack Virus Log File

guestolo

Need Help on My Hijack Virus Log File