1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Help with Hijack log and spybot problems Please!

Discussion in 'Virus & Other Malware Removal' started by singingwinds, Sep 13, 2004.

Thread Status:
Not open for further replies.
  1. singingwinds

    singingwinds Thread Starter

    Sep 13, 2004
    I was asked to help with some problems for a business computer hooked up to DSL. They were having problems connecting to a server to order parts, and the administration at that site suggested Spyware as the possible problem. (I believe it is a vb script that will not activate)

    My actions so far:
    Of course I checked internet options, added the site as a trusted site. Ran their virus program, and also did an online search for viruses as Symantec. Ran Spybot, then when problem was not removed tried Adaware. Tried Mozilla. I don't remember everything I tried, but Spybot would list two items repeatedly, say they were fixed, but they always came back. These are the two items:

    DSO Exploit: Data source object exploit (Registry change, fixed)
    HKEY_USERS\S-1-5-21-1614895754-2052111302-725345543-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
    DSO Exploit: Data source object exploit (Registry change, fixed)
    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
    Internet Explorer: Download directory (Registry change, fixed)

    The Spybot log would say fixed, but upon closing the program and reopening they would still be a problem. Rebooting, and Spybot running at start did not help either. Are these maliscious? Could they be part of the problem?

    This is the hijack log, probably done right after the latest spybot search. I forgot to restart. They had another tech guy working on this too. He downloaded the latest browser updates, the latest sun java, and installed security updates. He also changed some ip address info in hopes of solving this, but he too was not successful. :
    Logfile of HijackThis v1.98.2
    Scan saved at 3:21:24 PM, on 9/13/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Network ICE\BlackICE\blackd.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\Program Files\Common Files\Symantec Shared\SymTray.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.snowest.com/
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
    O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\NORTON~1\NORTON~2\QDCSFS.exe /scheduler
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
    O4 - HKLM\..\RunOnce: [SideStepDllDelete] cmd.exe /q /c del /f /q "c:\WINNT\Downloaded Program Files\SbCIe028.dll" "c:\WINNT\Downloaded Program Files\SbCIe028.inf"
    O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix
    O4 - Global Startup: BlackICE Agent.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: SnipeIt! eSnipe - http://www.esnipe.com/SnipeIt/SnipeItOpen3.asp
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
    O16 - DPF: Contains -
    O16 - DPF: DownloadInformation -
    O16 - DPF: InstalledVersion -
    O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://download.sidestep.com/get/k00719/sb028.cab

    To make this story even stranger, they were able to connect with dial up but not dsl. It could be a two part problem of hardware and software, with the router causing a problem. It seems suspicious to me that the problem is so specific and sudden. Can anyone give some light on this situation? I would be so thankful! Maybe I won't pull out all my hair and will be able to sleep more restful soon. ;)
  2. cybertech

    cybertech Retired Moderator

    Apr 16, 2002
    HI singingwinds, Welcome to TSG!!

    You have some problems going here.

    You are running Hijackthis from a temp folder:

    You have some malware going on but you need to move Hijackthis.exe into a permanent folder like My Documents\hjt before we provide instructions on changes.

    When you have done that post another log.
  3. singingwinds

    singingwinds Thread Starter

    Sep 13, 2004
    The other tech guy working on this deleted HijackThis and whenever I tried to download and install, I would receive "unexpected error" message.

    I guess the Spybot issue is a common one, and probably not a real problem, but instead a bug in Spybot.
  4. cybertech

    cybertech Retired Moderator

    Apr 16, 2002
    Use another machine and download it to a floppy. Run it from the floppy and paste the log back here.
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/273721

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice