Help with Hijack log and spybot problems Please!

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

singingwinds

Thread Starter
Joined
Sep 13, 2004
Messages
2
I was asked to help with some problems for a business computer hooked up to DSL. They were having problems connecting to a server to order parts, and the administration at that site suggested Spyware as the possible problem. (I believe it is a vb script that will not activate)

My actions so far:
Of course I checked internet options, added the site as a trusted site. Ran their virus program, and also did an online search for viruses as Symantec. Ran Spybot, then when problem was not removed tried Adaware. Tried Mozilla. I don't remember everything I tried, but Spybot would list two items repeatedly, say they were fixed, but they always came back. These are the two items:

DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-21-1614895754-2052111302-725345543-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
Internet Explorer: Download directory (Registry change, fixed)

The Spybot log would say fixed, but upon closing the program and reopening they would still be a problem. Rebooting, and Spybot running at start did not help either. Are these maliscious? Could they be part of the problem?

This is the hijack log, probably done right after the latest spybot search. I forgot to restart. They had another tech guy working on this too. He downloaded the latest browser updates, the latest sun java, and installed security updates. He also changed some ip address info in hopes of solving this, but he too was not successful. :
Logfile of HijackThis v1.98.2
Scan saved at 3:21:24 PM, on 9/13/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\pctspk.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\DANSAN~1\LOCALS~1\Temp\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.snowest.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\NORTON~1\NORTON~2\QDCSFS.exe /scheduler
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKLM\..\RunOnce: [SideStepDllDelete] cmd.exe /q /c del /f /q "c:\WINNT\Downloaded Program Files\SbCIe028.dll" "c:\WINNT\Downloaded Program Files\SbCIe028.inf"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix
O4 - Global Startup: BlackICE Agent.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: SnipeIt! eSnipe - http://www.esnipe.com/SnipeIt/SnipeItOpen3.asp
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O16 - DPF: Contains -
O16 - DPF: DownloadInformation -
O16 - DPF: InstalledVersion -
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://download.sidestep.com/get/k00719/sb028.cab

To make this story even stranger, they were able to connect with dial up but not dsl. It could be a two part problem of hardware and software, with the router causing a problem. It seems suspicious to me that the problem is so specific and sudden. Can anyone give some light on this situation? I would be so thankful! Maybe I won't pull out all my hair and will be able to sleep more restful soon. ;)
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
HI singingwinds, Welcome to TSG!!

You have some problems going here.

You are running Hijackthis from a temp folder:
c:\DOCUME~1\DANSAN~1\LOCALS~1\Temp\HijackThis.exe

You have some malware going on but you need to move Hijackthis.exe into a permanent folder like My Documents\hjt before we provide instructions on changes.

When you have done that post another log.
 

singingwinds

Thread Starter
Joined
Sep 13, 2004
Messages
2
The other tech guy working on this deleted HijackThis and whenever I tried to download and install, I would receive "unexpected error" message.

I guess the Spybot issue is a common one, and probably not a real problem, but instead a bug in Spybot.
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
Use another machine and download it to a floppy. Run it from the floppy and paste the log back here.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top